On 2020/01/31 21:24, Sven Wolf wrote: > Hi, > > I run current. After I run sysupgrade today (GENERIC.MP #626 build Jan 30) > it's not possible to run pkd_add. I always get the error > TLS connect failure: failed to set session > signify: gzheader truncated
pkg_add runs ftp many times and tries to resume TLS sessions between calls to reduce setup overhead. The failure is connected with this but is only seen with some sites. > The error is reproducible on two machines and didn't occur until build #616 > (Jan 21). > > /etc/installurl points to an internal mirror server. This mirror server runs > on Debian/Apache and has a letsencrypt certificate. Maybe the letsencrypt > certificate is the root cause. > When I switch /etc/installurl to an official OpenBSD mirror (e.g. > https://artfiles.org/openbsd/) the error doesn't occur. There is no general problem with letsencrypt certificates, probably most of the official mirrors use them (artfiles.org certainly does). > Also when /etc/installurl points to the internal mirror server using the > http instead of the https protocol then there is also no error. > > sysupgrade runs without errors against the internal mirror server via https. > Also an wget of a package (e.g atk-2.34.1p1) via the https protocol shows no > error. > > I compared the atk-2.34.1p1 package against an official mirror. There is no > difference in the md5sum. > > Maybe the pkg_add error has something in common with > https://marc.info/?t=157996435100001&r=1&w=2 > > If there is something I should test/change, please let me know. > > Thanks and best regards, > Sven > Generally it is hard to debug these without access to the server (at least to make an HTTPS connection if not actually fetch files) so it being an internal server makes that hard. However I have found some other hosts which also have the same symptom so hopefully this will help libressl developers track it down. https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ https://mirrors.ucr.ac.cr/pub/OpenBSD/ https://mirrors.dotsrc.org/pub/OpenBSD/ https://mirror.one.com/pub/OpenBSD/ https://openbsd.c3sl.ufpr.br/pub/OpenBSD/ And there's a bonus "SSL_internal:unknown failure occurred" at https://mirror.vdms.com/pub/OpenBSD/
