ssh forwarding

a11eyezonme · Today 16:12:02

Hey guys! I’m pretty new to Arch. I’ve installed the base system, and now I’m trying to proxy my browser through SSH using ssh -D 2222 root@address -f -N.

However, Firefox doesn’t trust certificates in this setup. I’ve already installed ca-certificates, ca-certificates-utils, and ca-certificates-mozilla, but nothing changed.

My other laptop running Debian doesn’t have this issue via same connection.

mithrial · Today 16:20:39

Which certificate and which page are you trying to access? Can't you access port 2222 without https?

a11eyezonme · Today 16:31:11

Port is accesible, any site dosen't available

mithrial · Today 16:59:26

I'm lacking context. What are you trying to achieve with this port forwarding?

a11eyezonme · Today 17:11:47

I am trying to forward all my traffic(explicitly in browser) through a VPS. As I said, I use it on Debian without any trouble. The issue is not the connection itself, as I understand it, the problem is with the certificates

cryptearth · Today 17:34:08

i guess OP tries to abuse ssh as socks proxy

a11eyezonme · Today 17:47:44

cryptearth wrote:

i guess OP tries to abuse ssh as socks proxy

Yes, it clearly says so in the man page. Without abuse word btw

5hridhyan · Today 17:53:07

ssh -D just gives you a SOCKS proxy, it does not touch TLS in any way...
firefox still validates certificates directly with the destination, same as without ssh
so are you using SOCKS v5 in firefox?, did you enable "proxy DNS when using SOCKS v5"?, is your system time correct??, what exact error does firefox show (SEC_ERROR_* ?)
also try: does it work without proxy? does it work with curl using the same socks proxy?

Edit:
typo

Last edited by 5hridhyan (Today 18:38:44)

-thc · Today 17:55:37

Just tried it (out of academic interest) and it works without certificate errors.

a11eyezonme · Today 17:57:13

5hridhyan wrote:

ssh -D just gives you a SOCKS proxy, it does not touch TLS in any way...
firefox still validates certificates directly with the destination, same as without ssh
so are you using SOCKS v5 in firefox?, did you enable "proxy DNS when using SOCKS v5"?, is your system time correct??, what exact error does firefox show (SEC_ERROR_* ?)
also try: does it work without proxy? does it work with curl using the same socks proxy?

sock v5 enabled, DNS when using SOCKS v5 enabled, system time correct

Firefox error:

Secure Connection Failed

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

curl same issue

curl --socks5 localhost:2222 https://example.com -v
* Host localhost:2222 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:2222...
* Host example.com:443 was resolved.
* IPv6: 2606:4700::6812:1b78, 2606:4700::6812:1a78
* IPv4: 104.18.27.120, 104.18.26.120
* Opened SOCKS connection from ::1 port 54914 to example.com port 443 (via ::1 port 2222)
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=example.com
* start date: Apr 2 21:18:57 2026 GMT
* expire date: Jul 1 21:24:46 2026 GMT
* issuer: C=US; O="CLOUDFLARE, INC."; CN=Cloudflare TLS Issuing ECC CA 1
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* subjectAltName: "example.com" matches cert's "example.com"
* OpenSSL verify result: 14
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* closing connection #0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

5hridhyan · Today 18:07:03

good, curl reproducing it confirms this is not a firefox-specific issue
does this also fail *without* the proxy?
because ssh -D does not affect TLS at all, so if it fails without the proxy as well, the issue is entirely local (trust store / crypto config)
also, you're negotiating X25519MLKEM768, which is a post-quantum hybrid key exchange, I guess Debian likely isn't using that yet..
try forcing a more standard handshake like

curl --tls-max 1.2 https://example.com -v

and also check your CA bundle

 ls -lh /etc/ssl/certs/ca-certificates.crt

a11eyezonme · Today 18:10:02

5hridhyan wrote:

good, curl reproducing it confirms this is not a firefox-specific issue
does this also fail *without* the proxy?
because ssh -D does not affect TLS at all, so if it fails without the proxy as well, the issue is entirely local (trust store / crypto config)
also, you're negotiating X25519MLKEM768, which is a post-quantum hybrid key exchange, I guess Debian likely isn't using that yet..
try forcing a more standard handshake like
curl --tls-max 1.2 https://example.com -v
and also check your CA bundle
 ls -lh /etc/ssl/certs/ca-certificates.crt

curl --tls-max 1.2 https://example.com -v
* Host example.com:443 was resolved.
* IPv6: 2606:4700::6812:1a78, 2606:4700::6812:1b78
* IPv4: 104.18.27.120, 104.18.26.120
* Trying [2606:4700::6812:1a78]:443...
* Immediate connect fail for 2606:4700::6812:1a78: Network is unreachable
* Trying 104.18.27.120:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=example.com
* start date: Apr 2 21:18:57 2026 GMT
* expire date: Jul 1 21:24:46 2026 GMT
* issuer: C=US; O="CLOUDFLARE, INC."; CN=Cloudflare TLS Issuing ECC CA 1
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* subjectAltName: "example.com" matches cert's "example.com"
* OpenSSL verify result: 14
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* closing connection #0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

~
> ls -lh /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 Jun 18 2024 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

a11eyezonme · Today 18:13:21

At the same time if i curl github, everything is ok

Server certificate:
* subject: CN=github.com
* start date: Mar 6 00:00:00 2026 GMT
* expire date: Jun 3 23:59:59 2026 GMT
* issuer: C=GB; O=Sectigo Limited; CN=Sectigo Public Server Authentication CA DV E36
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* subjectAltName: "github.com" matches cert's "github.com"
* OpenSSL verify result: 0
* SSL certificate verified via OpenSSL.
* Established connection to github.com (140.82.121.4 port 443) from *edited* port 46722

Last edited by a11eyezonme (Today 18:13:57)

5hridhyan · Today 18:47:32

hmm, so your trust store is not completely broken, but missing a specific chain (cloudflare/its root)
can you please make sure the bundle is actually extracted properly, then verify the bundle is non-empty and updated?

also check if the cloudflare chain can be built manually

openssl s_client -connect example.com:443 -showcerts

if the issuer chain is present there but not trusted locally, then I guess it's definitely a trust store issue...

Edit:
please use #Code tags https://bbs.archlinux.org/help.php#bbcode, and also please edit post in this regard

Last edited by 5hridhyan (Today 18:48:45)

a11eyezonme · Today 18:51:43

5hridhyan wrote:

hmm, so your trust store is not completely broken, but missing a specific chain (cloudflare/its root)
can you please make sure the bundle is actually extracted properly, then verify the bundle is non-empty and updated?
also check if the cloudflare chain can be built manually
openssl s_client -connect example.com:443 -showcerts
if the issuer chain is present there but not trusted locally, then I guess it's definitely a trust store issue...
Edit:
please use #Code tags https://bbs.archlinux.org/help.php#bbcode, and also please edit post in this regard

openssl s_client -connect example.com:443 -showcerts
Connecting to 104.18.26.120
CONNECTED(00000003)
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=example.com
verify return:1
---
Certificate chain
0 s:CN=example.com
i:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
v:NotBefore: Apr 2 21:18:57 2026 GMT; NotAfter: Jul 1 21:24:46 2026 GMT
-----BEGIN CERTIFICATE-----
MIID0jCCA3mgAwIBAgIQZSBYnvF+tVxmRDPyny5oSjAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNjA0MDIyMTE4NTda
Fw0yNjA3MDEyMTI0NDZaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE6Iftpk9Hl1u+tKgOvUFy8V3hSE4MNpwN2wXYtLt8
cUe8Ih2Nvzv6ejX+8cFwk+1SezvPlnoSR/PZmiA26sxVXKOCAmswggJnMAwGA1Ud
EwEB/wQCMAAwHwYDVR0jBBgwFoAUnMQJckcYF3unGomzkjXV4QOM/pIwbAYIKwYB
BQUHAQEEYDBeMDkGCCsGAQUFBzAChi1odHRwOi8vaS5jZi1iLnNzbC5jb20vQ2xv
dWRmbGFyZS1UTFMtSS1FMS5jZXIwIQYIKwYBBQUHMAGGFWh0dHA6Ly9vLmNmLWIu
c3NsLmNvbTAlBgNVHREEHjAcggtleGFtcGxlLmNvbYINKi5leGFtcGxlLmNvbTAj
BgNVHSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2MuY2YtYi5zc2wuY29t
L0Nsb3VkZmxhcmUtVExTLUktRTEuY3JsMA4GA1UdDwEB/wQEAwIHgDAPBgkrBgEE
AYLaSywEAgUAMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAyKPEf8ezrbk1awE/
anoSbeM6TkOlxkb5l605dZkdz5oAAAGdUBlyrwAABAMARzBFAiB/1tzdXGNf67TC
SzLFxka7y1mz2gEpXmO3uk2SVPNANQIhAPw/Quf0YeOh7aK6BaalgoisAB8t/Fbp
QP/W7EMfRDhPAHYAlE5Dh/rswe+B8xkkJqgYZQHH0184AgE/cmd9VTcuGdgAAAGd
UBlykAAABAMARzBFAiABZgcvMVAZLISG7fvc5NYPDvJD97noT6GthzaZI1phEQIh
AJFKuSjsdurepc2e2QBrSdghAGQzMYVaSomJ++/1bbnIMAoGCCqGSM49BAMCA0cA
MEQCIHY8XBGm9RDpvUkDnmTADfe/IJrDV/vwKB5oNEKb2x4xAiB8OS8DiJ2H6pc/
zKbrdX+gLU4C15Dsggh/2v2xSoPdIA==
-----END CERTIFICATE-----
1 s:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Oct 31 17:17:49 2023 GMT; NotAfter: Oct 28 17:17:48 2033 GMT
-----BEGIN CERTIFICATE-----
MIIC5DCCAmqgAwIBAgIQLD+iaS9BE707f+W2BLSdTTAKBggqhkjOPQQDAzBPMQsw
CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSYwJAYDVQQDDB1T
U0wuY29tIFRMUyBUcmFuc2l0IEVDQyBDQSBSMjAeFw0yMzEwMzExNzE3NDlaFw0z
MzEwMjgxNzE3NDhaMFIxCzAJBgNVBAYTAlVTMRkwFwYDVQQKDBBDTE9VREZMQVJF
LCBJTkMuMSgwJgYDVQQDDB9DbG91ZGZsYXJlIFRMUyBJc3N1aW5nIEVDQyBDQSAx
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEByHHIHytNSzTS+F3JA7hHMDGd2cp
cY9i3MLTKmE6DJTKc6JwvW50pwKodvd2Qj4RAAy2jSejsVgw5jeh6syt3KOCASMw
ggEfMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUMqLH2FiL/3/APPJV
aTPszswfvJcwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUFBzAChixodHRwOi8vY2Vy
dC5zc2wuY29tL1NTTC5jb20tVExTLVQtRUNDLVIyLmNlcjARBgNVHSAECjAIMAYG
BFUdIAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMD0GA1UdHwQ2MDQw
MqAwoC6GLGh0dHA6Ly9jcmxzLnNzbC5jb20vU1NMLmNvbS1UTFMtVC1FQ0MtUjIu
Y3JsMB0GA1UdDgQWBBScxAlyRxgXe6caibOSNdXhA4z+kjAOBgNVHQ8BAf8EBAMC
AYYwCgYIKoZIzj0EAwMDaAAwZQIxAL0Sk3RweR6uG1aSHF3JgHQptubP9xoZyUmz
HSa+SSdY5wTGSx5qAowrLPCpLio2PAIwXQGgYzf5QzD/1Bsu87WrUcIVtLixr5KQ
wKBaFAyIJ7OOiWgW0HV/NA1UeuSe0zmN
-----END CERTIFICATE-----
2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIRAK2NLfZGgaDTZEfqqU+ic8EwDQYJKoZIhvcNAQELBQAw
ezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV
BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0yNDA2MjEwMDAwMDBaFw0y
ODEyMzEyMzU5NTlaME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKDA9TU0wgQ29ycG9y
YXRpb24xJjAkBgNVBAMMHVNTTC5jb20gVExTIFRyYW5zaXQgRUNDIENBIFIyMHYw
EAYHKoZIzj0CAQYFK4EEACIDYgAEZOd9mQNTXJEe6vjYI62hvyziY4nvKGj27dfw
7Ktorncr5HaXG1Dr21koLW+4NrmrjZfKTCKe7onZAj/9enM6kI0rzC86N4PaDbQt
RRtzcgllX3ghPeeLZj9H/Qkp1hQPo4IBJzCCASMwHwYDVR0jBBgwFoAUoBEKIz6W
8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFDKix9hYi/9/wDzyVWkz7M7MH7yXMA4G
A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAjBgNVHSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKp
MAEDAQEwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQELBQAD
ggEBAB4oL4ChKaKGZVZK8uAXjj8wvFdm45uvhU/t14QeH5bwETeKiQQXBga4/Nyz
zvpfuoEycantX+tHl/muwpmuHT0Z6IKYoICaMxOIktcTF4qHvxQW2WItHjOglrTj
qlXJXVL+3HCO60TEloSX8eUGsqfLQkc//z3Lb4gz117+fkDbnPt8+2REq3SCvaAG
hlh/lWWfHqTAiHed/qqzBSYqqvfjNlhIfXnPnhfAv/PpOUO1PmxCEAEYrg+VoS+O
+EBd1zkT0V7CfrPpj30cAMs2h+k4pPMwcLuB3Ku4TncBTRyt5K0gbJ3pQ0Rk9Hmu
wOz5QAZ+2n1q4TlApJzBfwFrCDg=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=example.com
issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 4113 bytes and written 1622 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 03B2CBB07581955484180C507DEB1AD35AF8796707C184BAD405908B8C1FB0CE
Session-ID-ctx:
Resumption PSK: F55C6C8E5F716A7B9C44D11194E3AD1401B7A231A5547E29DA99B21AD6E920789471E6E2FFAC665C5D6C202336FF8739
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 6b ce a3 1b 77 69 76 79-d7 86 81 64 ae 16 4e 44 k...wivy...d..ND
0010 - ff 77 34 8a 19 fa 11 8a-64 59 b0 ba a7 92 97 fb .w4.....dY......
0020 - 82 a8 1c 07 20 56 c9 47-a8 98 b8 cb 3f e9 4f 89 .... V.G....?.O.
0030 - 02 61 16 42 ed 2d 00 f4-98 f6 1a 7b ba 94 23 88 .a.B.-.....{..#.
0040 - 1f 5d 82 a3 84 9a 7d 8f-2a 4f b0 a6 df 26 3e e0 .]....}.*O...&>.
0050 - 9c 1f 63 3b 48 2d e2 63-82 de 70 2d 9d 66 6b fb ..c;H-.c..p-.fk.
0060 - a4 d1 a5 2e fe 0a ac 8e-72 15 68 eb 6c 9e d3 40 ........r.h.l..@
0070 - 65 e7 da 19 eb 9f 1f 16-bb c7 9b 27 a8 bb e3 28 e..........'...(
0080 - 9f 87 32 89 9d 6c 52 cb-d0 e9 fb 6a 68 3f 8f 3f ..2..lR....jh?.?
0090 - 70 90 ff dd c8 80 f7 a8-11 06 32 4f d6 a7 61 d8 p.........2O..a.
00a0 - b9 82 6a 6d eb 3d 2d 95-4d f1 3b 0b 6e 12 6d d8 ..jm.=-.M.;.n.m.
00b0 - f5 fc 41 33 98 c2 96 3d-db 43 a2 ed 6e a3 e5 1a ..A3...=.C..n...

Start Time: 1775760497
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A964A8499C1BA72C716B6C06A6C98279E76D6CFD85D74BD374A5AF0DCF3F8018
Session-ID-ctx:
Resumption PSK: D209C23978AF6E53163267E479203CF1D7FBB865B313DF0706D6B8A1F3D16EDE8B6E2094D1F80BF6B53018968BBEFBCA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 6b ce a3 1b 77 69 76 79-d7 86 81 64 ae 16 4e 44 k...wivy...d..ND
0010 - ef 7f 13 04 c1 0b 8d 56-df 3a 90 b4 64 10 54 7d .......V.:..d.T}
0020 - 00 79 8f 55 14 71 42 d0-e4 67 f2 75 c2 bb 0c 03 .y.U.qB..g.u....
0030 - 1d 80 c0 ff 48 33 2f 6a-f1 fb 86 2a e4 fb d1 93 ....H3/j...*....
0040 - 5e 7c 4d 22 39 c7 42 24-c7 45 5d 1d eb e2 09 2f ^|M"9.B$.E]..../
0050 - 5a 10 b8 29 ec 12 3a a4-2a bf 11 e6 11 ee 54 ae Z..)..:.*.....T.
0060 - 0d c6 d8 37 8f f9 b9 93-10 65 ac f4 c0 8b 9c 4d ...7.....e.....M
0070 - 42 4b e2 54 26 17 05 3f-92 61 e5 53 a7 e9 ad 57 BK.T&..?.a.S...W
0080 - 09 4b 47 6f 08 52 89 86-78 dc af 17 51 95 22 fc .KGo.R..x...Q.".
0090 - c2 69 27 22 ca 54 fa 27-44 a9 5e ad 3a a3 f3 c2 .i'".T.'D.^.:...
00a0 - 16 44 3d 7d 16 31 7c 74-6d 12 42 67 dc a8 36 4d .D=}.1|tm.Bg..6M
00b0 - d5 3f 8d f5 24 16 d8 6f-a8 b4 03 ee e5 9d bb 5c .?..$..o.......\

Start Time: 1775760497
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed

a11eyezonme · Today 18:52:32

5hridhyan wrote:

hmm, so your trust store is not completely broken, but missing a specific chain (cloudflare/its root)
can you please make sure the bundle is actually extracted properly, then verify the bundle is non-empty and updated?
also check if the cloudflare chain can be built manually
openssl s_client -connect example.com:443 -showcerts
if the issuer chain is present there but not trusted locally, then I guess it's definitely a trust store issue...
Edit:
please use #Code tags https://bbs.archlinux.org/help.php#bbcode, and also please edit post in this regard

Thanks for replying, but how can i check the bundle?

5hridhyan · Today 18:57:09

to check:

ls -lh /etc/ca-certificates/extracted/tls-ca-bundle.pem

to extract

trust extract-compat

Last edited by 5hridhyan (Today 19:08:10)

a11eyezonme · Today 19:09:38

5hridhyan wrote:

to check:

ls -lh /etc/ca-certificates/extracted/tls-ca-bundle.pem

to extract

trust extract-compat

No errors if i run it with sudo

seth · Today 19:13:12

Can you

curl -vL -4 https://google.com > /dev/null

Do the chromium-based browsers allow you to reach example.com ?
What real-life domains fail for lack of a local issuer certificate

@5hridhyan what's your output for

curl -vL -4 https://example.com > /dev/null

a11eyezonme · Today 19:14:11

seth wrote:

Can you
curl -vL -4 https://google.com > /dev/null
Do the chromium-based browsers allow you to reach example.com ?
What real-life domains fail for lack of a local issuer certificate
@5hridhyan what's your output for
curl -vL -4 https://example.com > /dev/null

curl -vL -4 https://google.com > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 0* Host google.com:443 was resolved.
* IPv6: (none)
* IPv4: 172.217.20.46
* Trying 172.217.20.46:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1554 bytes data]
* SSL Trust Anchors:
* CAfile: /etc/ssl/certs/ca-certificates.crt
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [1210 bytes data]
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [6344 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.google.com
* start date: Mar 16 08:36:32 2026 GMT
* expire date: Jun 8 08:36:31 2026 GMT
* issuer: C=US; O=Google Trust Services; CN=WR2
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* subjectAltName: "google.com" matches cert's "google.com"
* OpenSSL verify result: 0
* SSL certificate verified via OpenSSL.
* Established connection to google.com (172.217.20.46 port 443) from *edited* port 44342
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://google.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.19.0]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET / HTTP/2
> Host: google.com
> User-Agent: curl/8.19.0
> Accept: */*
>
* Request completely sent off
} [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [283 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [283 bytes data]
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-fpS99qy-GP3-s2349xw51g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Thu, 09 Apr 2026 19:13:42 GMT
< expires: Sat, 09 May 2026 19:13:42 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
* Ignoring the response-body
* setting size while ignoring
<
{ [5 bytes data]
100 220 100 220 0 0 512 0 0
* Connection #0 to host google.com:443 left intact
* Issue another request to this URL: 'https://www.google.com/'
0 0 0 0 0 0 0 0 0* Host www.google.com:443 was resolved.
* IPv6: (none)
* IPv4: 142.251.151.119, 142.251.155.119, 142.251.157.119, 142.251.153.119, 142.251.150.119, 142.251.152.119, 142.251.156.119, 142.251.154.119
* Trying 142.251.151.119:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1558 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [1210 bytes data]
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3813 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=www.google.com
* start date: Mar 16 08:39:57 2026 GMT
* expire date: Jun 8 08:39:56 2026 GMT
* issuer: C=US; O=Google Trust Services; CN=WR2
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* subjectAltName: "www.google.com" matches cert's "www.google.com"
* OpenSSL verify result: 0
* SSL certificate verified via OpenSSL.
* Established connection to www.google.com (142.251.151.119 port 443) from *edited* port 47212
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.google.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.19.0]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET / HTTP/2
> Host: www.google.com
> User-Agent: curl/8.19.0
> Accept: */*
>
* Request completely sent off
} [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [283 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [283 bytes data]
< HTTP/2 200
< date: Thu, 09 Apr 2026 19:13:43 GMT
< expires: -1
< cache-control: private, max-age=0
< content-type: text/html; charset=ISO-8859-1
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-KU4zyWRe_5jKUQNp465OcQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< accept-ch: Sec-CH-Prefers-Color-Scheme
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: __Secure-STRP=AEEP7gIHjQidbFWWiShPhzuBvYEM5oZfgqw4iHoBwW6o535Dym5r58hn7d6CamI7-aualx5ULXiX6BHDoF9GyaxlWCmHGzV2ASM8; expires=Thu, 09-Apr-2026 19:18:43 GMT; path=/; domain=.google.com; Secure; SameSite=strict
< set-cookie: AEC=AaJma5tQ4jHV5Uzk5Mg-1CFWolDiKhTBJ6fLOazZoHAQCL7-YqIBCUltYjg; expires=Tue, 06-Oct-2026 19:13:43 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< set-cookie: NID=530=DCqPz5FkKnvcA5RFKdsGlLaAwA5EwIMBAhVh_SgyQYWlelPShfZ7wuf5GF7jEwu64n0-FIxDeOv29RgTrGgMGsCLhvIspXh1kAjh0tUgaGBaCABzC4kcQ_9SwQqJNYqizSC7nJrtNoBSs3E21Zahd99mFS3iRjt8q6y0WKZdiMVrG0hbkDbgGrzaCsGK1EOKrKZsnawuCTkumcxyhf8SF15VeOKpOfOXDA; expires=Fri, 09-Oct-2026 19:13:43 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< accept-ranges: none
< vary: Accept-Encoding
<
{ [5 bytes data]
100 81405 0 81405 0 0 72308 0 00:01 0
* Connection #1 to host www.google.com:443 left intact

Last edited by a11eyezonme (Today 19:16:05)

5hridhyan · Today 19:14:38

it wasn't supposed to print errors btw, anyways great now run curl with `--socks5 localhost:2222` also with `-v`

Edit:
missed recent replies, will re-write this post accordingly, or better ignore this for now

@seth will post the output curl -vL -4 https://example.com > /dev/null tomorrow, its getting late here, I need to allow/modify my firewall...

Last edited by 5hridhyan (Today 19:18:07)

a11eyezonme · Today 19:16:55

seth wrote:

Can you
curl -vL -4 https://google.com > /dev/null
Do the chromium-based browsers allow you to reach example.com ?
What real-life domains fail for lack of a local issuer certificate
@5hridhyan what's your output for
curl -vL -4 https://example.com > /dev/null

even in firefox i can reach https://example.com/ without issues

seth · Today 19:45:00

Please use [code][/code] tags.
Edit your posts in this regard (you'll see why)

even in firefox i can reach https://example.com/ without issues

So for now the problem is limited to curl & https://example.com ?

seth wrote:

What real-life domains fail for lack of a local issuer certificate

Arch Linux

#1 Today 16:12:02

ssh forwarding

#2 Today 16:20:39

Re: ssh forwarding

#3 Today 16:31:11

Re: ssh forwarding

#4 Today 16:59:26

Re: ssh forwarding

#5 Today 17:11:47

Re: ssh forwarding

#6 Today 17:34:08

Re: ssh forwarding

#7 Today 17:47:44

Re: ssh forwarding

#8 Today 17:53:07

Re: ssh forwarding

#9 Today 17:55:37

Re: ssh forwarding

#10 Today 17:57:13

Re: ssh forwarding

#11 Today 18:07:03

Re: ssh forwarding

#12 Today 18:10:02

Re: ssh forwarding

#13 Today 18:13:21

Re: ssh forwarding

#14 Today 18:47:32

Re: ssh forwarding

#15 Today 18:51:43

Re: ssh forwarding

#16 Today 18:52:32

Re: ssh forwarding

#17 Today 18:57:09

Re: ssh forwarding

#18 Today 19:09:38

Re: ssh forwarding

#19 Today 19:13:12

Re: ssh forwarding

#20 Today 19:14:11

Re: ssh forwarding

#21 Today 19:14:38

Re: ssh forwarding

#22 Today 19:16:55

Re: ssh forwarding

#23 Today 19:45:00

Re: ssh forwarding

Board footer