Bug 15679

Summary: wget with amazon.com fails with TLS handshake failure on Debian 12
Product: Busybox Reporter: Michal P <pem3v78>
Component: NetworkingAssignee: unassigned
Status: NEW ---    
Severity: blocker CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description Michal P 2023-07-04 09:38:30 UTC 
This is what I get on master, 1.36.0 and 1.36.1 versions:

./busybox wget https://amazon.com
Connecting to amazon.com (54.239.28.85:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

This happens for me only in Debian 12. The issue is wider because official busybox docker image was recently switch to Bookworm - https://github.com/docker-library/busybox/commit/41d9ed130671540340a1064689c9ea72d7b376fe.

There are two possible fixes:

1) downgrade to older Debian distribution
2) revert commit with compiler optimization

git revert -n 7fbfb2050f24a457a909ea6bcec85c49a21db83a

After the revert, the above communication works without issues.

I'm unable to find to root cause of this issue. Maybe the gcc is at fault here ?
Comment 1 Michal P 2023-07-04 09:39:27 UTC 
This happens when openssl is uninstalled and internal busybox tls implementation is used.
Comment 2 Ron Yorston 2024-03-03 16:02:03 UTC 
The problem seems to be with the x86_64 assembly language code for sp_256_sub_8_p256_mod() in networking/tls_sp_c32.c. If I use the C code instead, wget works.

Unfortunately I don't speak x86_64 assembly language, so I've no idea what the real problem is.