Bug 15679 - wget with amazon.com fails with TLS handshake failure on Debian 12
Summary: wget with amazon.com fails with TLS handshake failure on Debian 12
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Networking (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 blocker
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-04 09:38 UTC by Michal P
Modified: 2024-03-03 16:02 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michal P 2023-07-04 09:38:30 UTC 
This is what I get on master, 1.36.0 and 1.36.1 versions:

./busybox wget https://amazon.com
Connecting to amazon.com (54.239.28.85:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

This happens for me only in Debian 12. The issue is wider because official busybox docker image was recently switch to Bookworm - https://github.com/docker-library/busybox/commit/41d9ed130671540340a1064689c9ea72d7b376fe.

There are two possible fixes:

1) downgrade to older Debian distribution
2) revert commit with compiler optimization

git revert -n 7fbfb2050f24a457a909ea6bcec85c49a21db83a

After the revert, the above communication works without issues.

I'm unable to find to root cause of this issue. Maybe the gcc is at fault here ?
Comment 1 Michal P 2023-07-04 09:39:27 UTC 
This happens when openssl is uninstalled and internal busybox tls implementation is used.
Comment 2 Ron Yorston 2024-03-03 16:02:03 UTC 
The problem seems to be with the x86_64 assembly language code for sp_256_sub_8_p256_mod() in networking/tls_sp_c32.c. If I use the C code instead, wget works.

Unfortunately I don't speak x86_64 assembly language, so I've no idea what the real problem is.