[Bug 2097692] [NEW] IPv6 TLS connection error/SSL_ERROR_SYSCALL in arm64 docker images

Oren K 2097692 at bugs.launchpad.net
Sun Feb 9 01:36:25 UTC 2025 

Public bug reported:

Affected Ubuntu Version:
Plucky Puffin/25.04

Affected Package Versions (tested and confirmed):
8.11.0-1ubuntu1
8.11.0-1ubuntu2
8.11.0-1ubuntu2
8.11.1-1ubuntu1
8.11.1-1ubuntu1

NOT Affected Package Versions (via force downgrade):
8.9.1-2ubuntu2.2
8.9.1-2ubuntu3

Affected Platforms:
MacBook Pro 2021 (arm64) - Docker Desktop 4.38.0 (Docker 20.10.22, macOS 15.3)

NOT Affected Platforms (tested and confirmed):
Raspberry Pi 400 (arm64) - Ubuntu 25.04 (Native)
Raspberry Pi 400 (arm64) - Docker 27.5.0 (running on Ubuntu 25.04)

Input:
curl https://launchpadlibrarian.net/763643707/curl_8.11.1-1ubuntu1_source.changes
(can be anything with IPv6)

Expected Result:
Format: 1.8
Date: Sat, 14 Dec 2024 03:39:34 -0600
Source: curl
...

Actual Result:
curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)

Workaround:
curl -4 https://launchpadlibrarian.net/763643707/curl_8.11.1-1ubuntu1_source.changes
(forcing an IPv4 connection)

Description:
I have docker images that build using the development branch (ubuntu:devel) regularly, in addition to Noble (ubuntu:latest), for both amd64 and arm64. I recently noticed that curl was not working on the devel images, so I did some digging back, and found that they had been broken since November (an image from 2024-11-24, with no other changes than the curl version, works just fine, but 2024-11-25 is broken).

The only packages that change from `dpkg-query -W -f='${Package} ${Version}\n'` are:
curl 8.9.1-2ubuntu3 -> 8.11.0-1ubuntu2
libcurl3t64-gnutls 8.9.1-2ubuntu3 -> 8.11.0-1ubuntu2
libcurl4t64 8.9.1-2ubuntu3 -> 8.11.0-1ubuntu2

I tried testing on all released versions of 8.11, and all experienced the same issue. Downgrading the packages to 8.9.1 works to fix curl outright, but I dug a bit deeper. When using `curl -v` on 8.11, I get this output:
* Host launchpadlibrarian.net:443 was resolved.
* IPv6: 2620:2d:4000:1009::3b8, 2620:2d:4000:1009::13e
* IPv4: 185.125.189.228, 185.125.189.229
*   Trying [2620:2d:4000:1009::3b8]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLS connect error: error:00000000:lib(0)::reason(0)
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to launchpadlibrarian.net:443 
* closing connection #0
curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)

This indicated to me an issue with the IPv6 connection, so I tried
forcing IPv4 with `curl -4`, and lo and behold curl worked again.
Running additionally with `curl -6` confirms IPv6 as the culprit of the
bug.

** Affects: curl (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: arm64 plucky regression-proposed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2097692

Title:
  IPv6 TLS connection error/SSL_ERROR_SYSCALL in arm64 docker images

Status in curl package in Ubuntu:
  New

Bug description:
  Affected Ubuntu Version:
  Plucky Puffin/25.04

  Affected Package Versions (tested and confirmed):
  8.11.0-1ubuntu1
  8.11.0-1ubuntu2
  8.11.0-1ubuntu2
  8.11.1-1ubuntu1
  8.11.1-1ubuntu1

  NOT Affected Package Versions (via force downgrade):
  8.9.1-2ubuntu2.2
  8.9.1-2ubuntu3

  Affected Platforms:
  MacBook Pro 2021 (arm64) - Docker Desktop 4.38.0 (Docker 20.10.22, macOS 15.3)

  NOT Affected Platforms (tested and confirmed):
  Raspberry Pi 400 (arm64) - Ubuntu 25.04 (Native)
  Raspberry Pi 400 (arm64) - Docker 27.5.0 (running on Ubuntu 25.04)

  Input:
  curl https://launchpadlibrarian.net/763643707/curl_8.11.1-1ubuntu1_source.changes
  (can be anything with IPv6)

  Expected Result:
  Format: 1.8
  Date: Sat, 14 Dec 2024 03:39:34 -0600
  Source: curl
  ...

  Actual Result:
  curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)

  Workaround:
  curl -4 https://launchpadlibrarian.net/763643707/curl_8.11.1-1ubuntu1_source.changes
  (forcing an IPv4 connection)

  Description:
  I have docker images that build using the development branch (ubuntu:devel) regularly, in addition to Noble (ubuntu:latest), for both amd64 and arm64. I recently noticed that curl was not working on the devel images, so I did some digging back, and found that they had been broken since November (an image from 2024-11-24, with no other changes than the curl version, works just fine, but 2024-11-25 is broken).

  The only packages that change from `dpkg-query -W -f='${Package} ${Version}\n'` are:
  curl 8.9.1-2ubuntu3 -> 8.11.0-1ubuntu2
  libcurl3t64-gnutls 8.9.1-2ubuntu3 -> 8.11.0-1ubuntu2
  libcurl4t64 8.9.1-2ubuntu3 -> 8.11.0-1ubuntu2

  I tried testing on all released versions of 8.11, and all experienced the same issue. Downgrading the packages to 8.9.1 works to fix curl outright, but I dug a bit deeper. When using `curl -v` on 8.11, I get this output:
  * Host launchpadlibrarian.net:443 was resolved.
  * IPv6: 2620:2d:4000:1009::3b8, 2620:2d:4000:1009::13e
  * IPv4: 185.125.189.228, 185.125.189.229
  *   Trying [2620:2d:4000:1009::3b8]:443...
  * ALPN: curl offers h2,http/1.1
  * TLSv1.3 (OUT), TLS handshake, Client hello (1):
  *  CAfile: /etc/ssl/certs/ca-certificates.crt
  *  CApath: /etc/ssl/certs
  * TLS connect error: error:00000000:lib(0)::reason(0)
  * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to launchpadlibrarian.net:443 
  * closing connection #0
  curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)

  This indicated to me an issue with the IPv6 connection, so I tried
  forcing IPv4 with `curl -4`, and lo and behold curl worked again.
  Running additionally with `curl -6` confirms IPv6 as the culprit of
  the bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2097692/+subscriptions

More information about the foundations-bugs mailing list