Many SSL Errors - Unable to solve

nickchitwood · 2020-03-22 05:59:48

I believe there is some fundamental issue with encryption on my Arch install. I'm getting the following errors when trying to update using yay and the AUR:

fatal: unable to access 'https://aur.archlinux.org/nerd-fonts-complete.git/': error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0

It seems to center around curl, and some of the research I've done implicates the multi-threading module within Python, but I'm at loss to solve it. I do have other issues with connecting to web sites where they won't load.

Some things I've tried:
1) I've tried a chroot reinstall of the nss package as well.
2) Switching between ethernet and Wi-Fi connections in case it's a hardware issue.
3) Ensuring the Microcode is enable.

Any ideas? Thanks!

awshidahak · 2020-03-22 06:22:15

Is the time set correctly on your computer? I find that sometimes I run into trouble with SSL when I've got the time set wrong.

nickchitwood · 2020-03-22 06:24:45

That reminds me, I did spend some time getting the clock to synchronize. The hardware clock was by a couple of seconds, and I did go through the trouble of getting the hardware clock synced up through NTP.

seth · 2020-03-22 07:56:57

Output of

curl -v https://www.google.com > /dev/null
# and
curl -v 'https://aur.archlinux.org/nerd-fonts-complete.git/'  > /dev/null
# and
pacman -Qkk openssl

?

Any chances of a VPN or firewall etc.? (Though it seems the installation iso doesn't show this problem on the same system?)

------------------

EDIT, cross-linking
https://bbs.archlinux.org/viewtopic.php?id=253854

Last edited by seth (2020-03-22 14:20:55)

nickchitwood · 2020-03-22 14:35:39

Ok.

curl -v https://www.google.com > /dev/null

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2607:f8b0:4007:80e::2004:443...
* Connected to www.google.com (2607:f8b0:4007:80e::2004) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2339 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
*  start date: Mar  3 09:45:52 2020 GMT
*  expire date: May 26 09:45:52 2020 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5571304368b0)
} [5 bytes data]
> GET / HTTP/2
> Host: www.google.com
> user-agent: curl/7.69.1
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [264 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200 
< date: Sun, 22 Mar 2020 14:25:24 GMT
< expires: -1
< cache-control: private, max-age=0
< content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: 1P_JAR=2020-03-22-14; expires=Tue, 21-Apr-2020 14:25:24 GMT; path=/; domain=.google.com; Secure
< set-cookie: NID=200=sKXNZVdIlO4t_lXC3Hg_T1cRld2nlAC6AaKbcVeSKyaJRmDjyb0IPgXGelNQCEDomMGki-0Z0c1cvhbDDGI6oGiS7KB8c68L_91SdrDeO8W5viGzxSViFZ_o3tOkoJkGSu6ZVhccy51IpQ7ZD4OMzrncN84jGNLVZkmwxImTk7g; expires=Mon, 21-Sep-2020 14:25:24 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
< accept-ranges: none
< vary: Accept-Encoding
< 
{ [5 bytes data]
100 12745    0 12745    0     0  70414      0 --:--:-- --:--:-- --:--:-- 70414
* Connection #0 to host www.google.com left intact

I changed the second curl command to the file that it was choking on:

curl -vL 'https://github.com/ryanoasis/nerd-fonts/archive/v2.1.0.tar.gz' > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.30.255.112:443...
* Connected to github.com (192.30.255.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3090 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: May  8 00:00:00 2018 GMT
*  expire date: Jun  3 12:00:00 2020 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> GET /ryanoasis/nerd-fonts/archive/v2.1.0.tar.gz HTTP/1.1
> Host: github.com
> User-Agent: curl/7.69.1
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< date: Sun, 22 Mar 2020 14:26:53 GMT
< content-type: text/html; charset=utf-8
< server: GitHub.com
< status: 302 Found
< vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
< location: https://codeload.github.com/ryanoasis/nerd-fonts/tar.gz/v2.1.0
< cache-control: max-age=0, private
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
{ [5 bytes data]
< content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
< Age: 0
< Set-Cookie: _gh_sess=nR8wg1urQAcoMQPVVytKCQUzlW2315NuKjubIShdocUYvkmounAz6UXn3HIcFfEP8405Y28RsZ%2BHoGtpGtmkpyITeAoOJOXWwt7kFoC1A%2BFSm6xqLx7%2FydCbyy9wxoMowkkZpdZr3g3%2Fu21Btxsy94rFttPwGRkBDeYpk7rIFho%2BHLd3MvJ6O96pIEmmh0OmgYCXtPR9beHzFSws7rCaY3AM4zfgC6eTJsWxLeWY0j12nJGb%2FNa5nSlKOnJxPbE4GFqi81dFkhSmmLz14TM%2BCQ%3D%3D--XoJ%2BO8SiUxDiV9c%2F--9ytcFhnWY69OaoOJazgTew%3D%3D; Path=/; HttpOnly; Secure
< Set-Cookie: _octo=GH1.1.141097630.1584887213; Path=/; Domain=github.com; Expires=Mon, 22 Mar 2021 14:26:53 GMT; Secure
< Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 22 Mar 2021 14:26:53 GMT; HttpOnly; Secure
< Content-Length: 128
< X-GitHub-Request-Id: 25E3:0130:89921B:B89528:5E7775AD
< 
* Ignoring the response-body
{ [128 bytes data]
100   128  100   128    0     0    372      0 --:--:-- --:--:-- --:--:--   372
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://codeload.github.com/ryanoasis/nerd-fonts/tar.gz/v2.1.0'
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.30.255.121:443...
* Connected to codeload.github.com (192.30.255.121) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2856 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Jul  8 00:00:00 2019 GMT
*  expire date: Jul 16 12:00:00 2020 GMT
*  subjectAltName: host "codeload.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> GET /ryanoasis/nerd-fonts/tar.gz/v2.1.0 HTTP/1.1
> Host: codeload.github.com
> User-Agent: curl/7.69.1
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: https://render.githubusercontent.com
< Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< Strict-Transport-Security: max-age=31536000
< Vary: Authorization,Accept-Encoding
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< ETag: W/"7be3f5f192a6711f2aa8eca54b138cdc96221fb167c4490466784e0b44263491"
< Content-Type: application/x-gzip
< Content-Disposition: attachment; filename=nerd-fonts-2.1.0.tar.gz
< X-Geo-Block-List:
< Date: Sun, 22 Mar 2020 14:26:54 GMT
< X-Varnish: 132949497
< Age: 0
< Via: 1.1 varnish (Varnish/6.0)
< X-Cache: HFM
< X-Cache-Hits: 0
< Accept-Ranges: bytes
< Transfer-Encoding: chunked
< X-GitHub-Request-Id: 041D:7E09:054B:8F66:5E7775AE
< 
{ [605 bytes data]
100 1975M    0 1975M    0     0  7820k      0 --:--:--  0:04:18 --:--:-- 10.0M* TLSv1.3 (OUT), TLS alert, bad record mac (532):
} [2 bytes data]
* OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
100 1977M    0 1977M    0     0  7823k      0 --:--:--  0:04:18 --:--:-- 10.1M
* Closing connection 1
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0

Finally

pacman -Qkk openssl

openssl: 4107 total files, 0 altered files

I'll try the command from the Installation ISO as well in the meantime.

Trilby · 2020-03-22 14:39:16

nickchitwood, could you try downgrading to openssl 1.1.1.d-2 to see if your errors are from the same update as mine?

nickchitwood · 2020-03-22 14:49:18

Previous time this came up:
https://bbs.archlinux.org/viewtopic.php?id=228581

nickchitwood · 2020-03-22 14:51:02

I did try the connection a few different ways on my Lenovo T480:
1) Built-in Ethernet
2) Built-in Wifi
3) Via Verizon Mi-Fi
It's not something in my Physical Networking layer, as the Mi-Fi helps to rule that out.

seth · 2020-03-22 15:16:51

https://bbs.archlinux.org/viewtopic.php?id=228581 was NIC related (and dated) so unlikely related cause.
Can you please follow comment #6 so we can determine whether it's the same thing?

If you repeat the bad curl, do the errors happen on the same offset?

nickchitwood · 2020-03-22 15:22:03

A few things:
1) I downgraded, and was unable to resolve the error.
2) The errors occur with different offsets. A few runs:

{ [591 bytes data]
  5 2298M    5  125M    0     0  35.4M      0  0:01:04  0:00:03  0:01:01 41.8M
* TLSv1.3 (OUT), TLS alert, bad record mac (532):
} [2 bytes data]
* OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
  6 2298M    6  139M    0     0  35.9M      0  0:01:03  0:00:03  0:01:00 41.8M
* Closing connection 1
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0

{ [591 bytes data]
* TLSv1.3 (OUT), TLS alert, bad record mac (532):
} [2 bytes data]
* OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
100  997k    0  997k    0     0   738k      0 --:--:--  0:00:01 --:--:-- 1423k
* Closing connection 1
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0

3) I was able to replicate the error from within a VirtualBox VM on an Arch Install ISO, both with bridged and NAT networking.

seth · 2020-03-22 21:28:34

Does it work on the LTS kernel?

nickchitwood · 2020-03-22 23:37:00

I tried that this morning without success. Some possible good news, however. I downgraded both nss and openssl, but then re-upgraded to the most recent version.

I've been able to successfully executive the curl of the file that is over 2GiB in size a few times now, so I think I'll temporarily call this one solved.

A question about the inner workings of pacman... If a file is corrupted in an install, does upgrading overwrite every file? Or just those that have changed? I wonder if downgrading far back enough was enough to trigger a file overwrite on the reupgrade.

Trilby · 2020-03-22 23:52:43

nickchitwood wrote:

does upgrading overwrite every file?

Yes. Or more specifically, it doesn't overwrite them, but in the single transaction, it removes the files belonging to the old package and copies over the new ones. But unless you forced a fresh download, the same pkg.tar.xz file in your cache would still be used again. So a corrupted package is unlinkely.

nickchitwood wrote:

I wonder if downgrading far back enough was enough to trigger a file overwrite on the reupgrade.

More likely, you just didn't have a properly updated nss.

Arch Linux

#1 2020-03-22 05:59:48

Many SSL Errors - Unable to solve

#2 2020-03-22 06:22:15

Re: Many SSL Errors - Unable to solve

#3 2020-03-22 06:24:45

Re: Many SSL Errors - Unable to solve

#4 2020-03-22 07:56:57

Re: Many SSL Errors - Unable to solve

#5 2020-03-22 14:35:39

Re: Many SSL Errors - Unable to solve

#6 2020-03-22 14:39:16

Re: Many SSL Errors - Unable to solve

#7 2020-03-22 14:49:18

Re: Many SSL Errors - Unable to solve

#8 2020-03-22 14:51:02

Re: Many SSL Errors - Unable to solve

#9 2020-03-22 15:16:51

Re: Many SSL Errors - Unable to solve

#10 2020-03-22 15:22:03

Re: Many SSL Errors - Unable to solve

#11 2020-03-22 21:28:34

Re: Many SSL Errors - Unable to solve

#12 2020-03-22 23:37:00

Re: Many SSL Errors - Unable to solve

#13 2020-03-22 23:52:43

Re: Many SSL Errors - Unable to solve

Board footer