Issues with latest CA root certificate and SSL connections (possibly OpenSSL v3 related)

You can’t do that, they are not ABI compatible. And they can be installed side by side, so even if you install Openssl 1.1.1, everything (mostly, except a few very old packages) will still use openssl3. The migration to openssl3 was done for beta 5 and I don’t think there is a need to go back to older versions.

However, I see there was recently an update to openssl 3.5. I am surprised that your log mentions openssl3-3.0.14, since we moved to 3.0.15 back in december, then 3.0.16 in march, then 3.5.0 in april. So, if the working system is from december, you are comparing 4 months of changes, there are quite a lot of things that could have changed.

I’m not sure how I can apply your suggestion with the openssl client EOF
option in combination with external tools - I need git etc.
to work, it’s not my own script or application that fails.

Maybe by setting an openssl config file:

If the current OPENSSLDIR is readonly, you can define an env OPENSSL_CONF to point to a custom openssl config file just to see if it works with ignoring EOF option.

@PulkoMandy in my latest, problematic Haiku nightly hrev58831 from today, I do have openssl-3.5 installed:

> openssl version -d
OPENSSLDIR: "/packages/openssl3-3.5.0-2/.self/data/ssl"

EOF setting doesn’t seem to help @phoudoin but I’ll see if I can get some useful debug output with openssl connections.

So I was not quite right about the timeout - this only happens in WebPositive.
In the Terminal, with a git pull..., I do get more interesting errors:

fatal: unable to access 'https://github.com/Genio-The-Haiku-IDE/Genio.git/': TLS connect error: error:00000000:lib(0)::reason(0)

Then I did a simple certificate check with openssl and got this (after quite a while which seems to be a timeout):

> openssl s_client -connect www.github.com:443 -prexit
Connecting to 140.82.121.3
CONNECTED(00000003)
closed
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 0 bytes and written 1554 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 0 bytes and written 1554 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

So something’s definitley off with my certificates. How can I ensure my setup is consistent?

from my working backup state (23.4.2025) I get this:

> openssl s_client -connect www.github.com:443 -prexit
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
verify return:1
depth=0 CN = github.com
verify return:1
---
Certificate chain
 0 s:CN = github.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Feb  5 00:00:00 2025 GMT; NotAfter: Feb  5 23:59:59 2026 GMT
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = github.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3482 bytes and written 384 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 9D420FFB0E51F5A03FE7D42C34631B91730CA391F81DC0E74AC8E93FD60B1851
    Session-ID-ctx: 
    Resumption PSK: CBFAED925D0E38E56FA74ABEA3C06C406A8AAD3D69CDFCD0818F1A041BE08D10
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 33 12 80 23 21 2f 95 56-c5 a2 41 7f bb f4 51 cc   3..#!/.V..A...Q.
    0010 - f0 a1 26 da 7c 2a 2d 10-f6 2d da f5 2c 34 f5 17   ..&.|*-..-..,4..

    Start Time: 1745863004
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 48573F27C7F4DA189D54BE019A77C07F3305CDB4AE4604C87027BA91DAE4205D
    Session-ID-ctx: 
    Resumption PSK: 72D4893500BB6EB3DCB0017D5F1B60F35B4A29992FCD1D106911AD9740C2837C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b7 85 9e 3f e9 5b 0f e7-21 3f 23 c4 2e 1e b7 e6   ...?.[..!?#.....
    0010 - 70 78 a1 ba fc a8 12 db-d8 98 30 d6 87 d7 b0 db   px........0.....

    Start Time: 1745863004
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
---
Certificate chain
 0 s:CN = github.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Feb  5 00:00:00 2025 GMT; NotAfter: Feb  5 23:59:59 2026 GMT
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = github.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3664 bytes and written 408 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

just tried to use the latest CA root certificate you pointed out @phoudoin in my non-working latest Haiku and got another interesting error:

~> openssl s_client -CAfile Downloads/cacert.pem -connect github.com:443
Connecting to 140.82.121.3
CONNECTED(00000003)
E001A24727000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:691:
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 0 bytes and written 1557 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

PS: probably unrelated, but I even managed to crash git during a push (!) twice now:

Haiku revision: hrev58829 Apr 23 2025 06:02:18 (x86_64)

Active Threads:
	thread 5638: pthread func 
	thread 5640: team 5637 debug task 
	thread 5637: git (main)
		state: Call (mutex was not actually locked!)

		Frame		IP			Function Name
		-----------------------------------------------
		00000000	0x8f0288d4b7	_kern_debugger + 0x7 
			Disassembly:
				_kern_debugger:
				0x0000008f0288d4b0:   48c7c0ec000000  mov $0xec, %rax
				0x0000008f0288d4b7:             0f05  syscall <--

		0x7f8f5a6ae5e0	0x8f0290a57e	__heap_after_fork_parent + 0x3e 
		0x7f8f5a6ae610	0x8f02901c18	fork + 0xf8 
		0x7f8f5a6ae710	0x4c5ce2fcd5	start_command + 0x3c5 
		0x7f8f5a6ae960	0x4c5ce33317	send_pack + 0x707 
		0x7f8f5a6af250	0x4c5ccc8ef6	cmd_send_pack + 0xa16 
		0x7f8f5a6af330	0x4c5cc12eff	/boot/system/lib/git-core/git + 0x61eff 
		0x7f8f5a6af450	0x4c5cc14018	/boot/system/lib/git-core/git + 0x63018 
		0x7f8f5a6af4b0	0x4c5cc14b31	cmd_main + 0xf1 
		0x7f8f5a6af510	0x4c5cc12baf	main + 0xcf 
		0x7f8f5a6af540	0x4c5cc12cf9	_start + 0x39 
		0x7f8f5a6af570	0x6d4734a383	runtime_loader + 0x113 
		00000000	0x7ffff8007258	commpage_thread_exit + 0 

more on topic, another interesting observation (this is on hrev58841 now):

  • opening the SEN website works fine, but I cannot reach GitHub
  • both are served from github in the end, as SEN web site redirects to a static GitHub pages site.

So it has definitely something to do with the route and intermediaries, IP origin and whatever which sometimes breaks my network connection and which worked fine before updating OpenSSL.

@PulkoMandy also saw this once with git, but it doesn’t seem to reproduce reliably. These mutexes should absolutely never be unlocked in this state, and I don’t know how they could be. Something strange may be going on with memory. The fact that the problem has only happened with git so far is interesting.

1 Like