[Solved] Some TLS connections not working

mr-wombat · 2020-01-09 15:27:59

After a system update yesterday, I get a lot of connection errors on https sites and ssh.
It works on some sites (https://bbs.archlinux.org, Wikipedia, Google...) but mostly it fails (e.g. https://www.github.com)

I can not try with VPN since the VPN connection also fails
I've tried Chromium (79.0.3945.117) and Firefox (72.0.1)
I've reinstalled ca-certificates, ca-certificates-utils and ca-certificates-mozilla

DNS seems to work:

$ getent hosts github.com
140.82.118.4    github.com

Ping does not work:

$ ping 140.82.118.4
ping: connect: Network is unreachable

Time and date are set correctly

$ timedatectl status
               Local time: Do 2020-01-09 16:19:56 CET
           Universal time: Do 2020-01-09 15:19:56 UTC
                 RTC time: Do 2020-01-09 15:19:56
                Time zone: Europe/Zurich (CET, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

The curl output for a working connection is:

$ curl -v https://bbs.archlinux.org/ >/dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2a01:4f8:c2c:b1cf::1:443...
* TCP_NODELAY set
* Connected to bbs.archlinux.org (2a01:4f8:c2c:b1cf::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2821 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=bbs.archlinux.org
*  start date: Dec  4 21:03:45 2019 GMT
*  expire date: Mar  3 21:03:45 2020 GMT
*  subjectAltName: host "bbs.archlinux.org" matched cert's "bbs.archlinux.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55f5a8e34810)
} [5 bytes data]
> GET / HTTP/2
> Host: bbs.archlinux.org
> user-agent: curl/7.67.0
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 200 
< server: nginx/1.16.1
< date: Thu, 09 Jan 2020 14:58:12 GMT
< content-type: text/html; charset=utf-8
< x-powered-by: PHP/7.4.1
< expires: Thu, 21 Jul 1977 07:30:00 GMT
< last-modified: Thu, 09 Jan 2020 14:58:12 GMT
< cache-control: post-check=0, pre-check=0
< pragma: no-cache
< x-frame-options: deny
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< 
{ [7936 bytes data]
100 23097    0 23097    0     0  81904      0 --:--:-- --:--:-- --:--:-- 81904
* Connection #0 to host bbs.archlinux.org left intact

and for a not working one:

$ curl -v https://github.com >/dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.82.118.3:443...
* TCP_NODELAY set
* Immediate connect fail for 140.82.118.3: Network is unreachable
* Closing connection 0
curl: (7) Couldn't connect to server

System info:
Operating System: Arch Linux
KDE Plasma Version: 5.17.5
KDE Frameworks Version: 5.65.0
Qt Version: 5.14.0
Kernel Version: 5.4.8-arch1-1
OS Type: 64-bit

Please help me as this limits me significantly (especially to solve this problem myself )

Last edited by mr-wombat (2020-01-11 06:24:03)

sabroad · 2020-01-10 10:52:40

mr-wombat wrote:

* Connected to bbs.archlinux.org (2a01:4f8:c2c:b1cf::1) port 443 (#0)
* Immediate connect fail for 140.82.118.3: Network is unreachable
Please help me as this limits me significantly (especially to solve this problem myself smile)

So, you can connect to ipv6 sites but not ipv4 sites. edit: TLS doesn't come into this.

Do your network interfaces have ipv4 address?

ip addr

Do you have ipv4 routes?

ip route

Last edited by sabroad (2020-01-10 11:54:26)

sabroad · 2020-01-10 10:58:21

mr-wombat wrote:

[*]I can not try with VPN since the VPN connection also fails [/*]

Does NordVPN sound familiar?

V1del · 2020-01-10 11:52:56

Are you using NetworkManager to actually connect? It has a regression in it's internal DHCP client, try switching that if you are using it: https://wiki.archlinux.org/index.php/Ne … HCP_client

mr-wombat · 2020-01-10 15:11:32

Thank you sabroad,

sabroad wrote:

Do your network interfaces have ipv4 address?

no, only ipv6 as I can tell:

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether c8:5b:76:d1:5d:0d brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:28:f8:26:30:bd brd ff:ff:ff:ff:ff:ff
    inet6 2003:f3:3c9:14bf:bc66:bc58:99eb:ba61/64 scope global dynamic noprefixroute 
       valid_lft 604784sec preferred_lft 86384sec
    inet6 fe80::2145:4662:a904:7097/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

sabroad wrote:

Do you have ipv4 routes?

No

I just figured out that browsing these websites works when I connect to a hotspot from my smartphone so this is probably an issue with my network

Last edited by mr-wombat (2020-01-10 15:11:59)

mr-wombat · 2020-01-11 06:24:39

Update of network manager solved the problem. Thank you!

Arch Linux

#1 2020-01-09 15:27:59

[Solved] Some TLS connections not working

#2 2020-01-10 10:52:40

Re: [Solved] Some TLS connections not working

#3 2020-01-10 10:58:21

Re: [Solved] Some TLS connections not working

#4 2020-01-10 11:52:56

Re: [Solved] Some TLS connections not working

#5 2020-01-10 15:11:32

Re: [Solved] Some TLS connections not working

#6 2020-01-11 06:24:39

Re: [Solved] Some TLS connections not working

Board footer