https connection issue on router

[Lecan]

RT-BE88U install 3006.102.4_beta2

ssh login to router, and curl https website will failed.

admin@RT-BE88U-3968:/tmp/home/root# curl http://www.baidu.com/
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>



admin@RT-BE88U-3968:/tmp/home/root# curl -vvv https://www.baidu.com/
20:14:43.482663 [0-0] => Send SSL data, 5 bytes (0x5)
0000: .....
20:14:43.482958 [0-0] == Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
20:14:43.483093 [0-0] => Send SSL data, 512 bytes (0x200)
0000: .......?S.laB....F.Cn:..^\..5....h...7 Qf:.....zO1.0...c,*..l...
0040: ..Y.....>.............,.0...+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./.....u.........www.baidu.com...............................
00c0: ..........http/1.1.........1.....*.(............................
0100: .............+............-.....3.&.$... A...|..^....d....H.....
0140: ....k...........................................................
0180: ................................................................
01c0: ................................................................
20:14:43.560982 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: ....f
20:14:43.561181 [0-0] == Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
20:14:43.561312 [0-0] <= Recv SSL data, 102 bytes (0x66)
0000: ...b..h.e......@.o.....;A.....L'...S.. .............C.....59....
0040: ~].a..../...............http/1.1......
20:14:43.561709 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
20:14:43.561873 [0-0] == Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
20:14:43.562028 [0-0] <= Recv SSL data, 4772 bytes (0x12a4)
0000: .........********.....p
20:14:43.575255 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: ....M
20:14:43.575431 [0-0] == Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
20:14:43.575592 [0-0] <= Recv SSL data, 333 bytes (0x14d)
0000: ...I...A.......)...XOL}.=.2....N..i.......'${...X.M.....v....2..
0040: .F%...{.............D..Q.....J1i....E.........FMgsi...l..d..b...
0080: .N@GT3.o'^^j..J.....k\..:.^b..#.I.E..:Y{....a3S3.-G..;....b.....
00c0: .o.....mD.=."xu.+..S..f...........H|..r...%.6.;7.3..%...i....h..
0100: ..1....u.X$..q.[..5...HH]/'/.,..K.V.........&&!.?...iH.~........
0140: ./..6.2W...9.
20:14:43.576841 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
20:14:43.576987 [0-0] == Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
20:14:43.577143 [0-0] <= Recv SSL data, 4 bytes (0x4)
0000: ....
20:14:43.578015 [0-0] => Send SSL data, 5 bytes (0x5)
0000: ....F
20:14:43.578157 [0-0] == Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
20:14:43.578318 [0-0] => Send SSL data, 70 bytes (0x46)
0000: ...BA.f.B].("..=......T......u...g.....~Ge...I..6.?.0......P.(.&
0040: )~....
20:14:43.578796 [0-0] => Send SSL data, 5 bytes (0x5)
0000: .....
20:14:43.578930 [0-0] == Info: TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
20:14:43.579099 [0-0] => Send SSL data, 1 bytes (0x1)
0000: .
20:14:43.579347 [0-0] => Send SSL data, 5 bytes (0x5)
0000: ....(
20:14:43.579445 [0-0] == Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
20:14:43.579541 [0-0] => Send SSL data, 16 bytes (0x10)
0000: ....\Lc.........
20:14:43.602945 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
20:14:43.603125 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: ....(
20:14:43.603320 [0-0] == Info: TLSv1.2 (IN), TLS handshake, Finished (20):
20:14:43.603462 [0-0] <= Recv SSL data, 16 bytes (0x10)
0000: ....]....8/..s..
20:14:43.603897 [0-0] => Send SSL data, 5 bytes (0x5)
0000: ....e
20:14:43.604067 [0-0] => Send header, 77 bytes (0x4d)
0000: GET / HTTP/1.1
0010: Host: www.baidu.com
0025: User-Agent: curl/8.10.1
003e: Accept: */*
004b:
20:14:43.626910 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
20:14:43.627072 [0-0] => Send SSL data, 5 bytes (0x5)
0000: .....
20:14:43.627225 [0-0] == Info: TLSv1.2 (OUT), TLS alert, protocol version (582):
20:14:43.627378 [0-0] => Send SSL data, 2 bytes (0x2)
0000: .F
20:14:43.627513 [0-0] == Info: OpenSSL SSL_read: OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number, errno 0
curl: (56) OpenSSL SSL_read: OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number, errno 0

 

[RMerlin]

Your log mentions OpenSSL 3.0.15, which is not part of the firmware. Make sure you are running the curl version that's part of the firmware and not one from Entware.

 

[Lecan]

Your log mentions OpenSSL 3.0.15, which is not part of the firmware. Make sure you are running the curl version that's part of the firmware and not one from Entware.

I remove entware and all amtm thing, still get this, but from another domain.

lijeep@RT-BE88U:/tmp/home/root# curl -V
curl 8.4.0 (arm-buildroot-linux-gnueabi) libcurl/8.4.0 OpenSSL/1.1.1w
Release-Date: 2023-10-11
Protocols: file ftp ftps http https imap imaps mqtt pop3 pop3s smb smbs smtp smtps
Features: alt-svc HSTS IPv6 Largefile NTLM SSL threadsafe TLS-SRP UnixSockets
lijeep@RT-BE88U:/tmp/home/root# curl -vvv https://map.baidu.com/
*   Trying 180.101.50.182:443...
* Connected to map.baidu.com (180.101.50.182) port 443
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  8 01:41:02 2024 GMT
*  expire date: Aug  9 01:41:01 2025 GMT
*  subjectAltName: host "map.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: map.baidu.com
> User-Agent: curl/8.4.0
> Accept: */*
>
* TLSv1.2 (OUT), TLS alert, protocol version (582):
* OpenSSL SSL_read: OpenSSL/1.1.1w: error:1408F10B:lib(20):func(143):reason(267), errno 0
* Closing connection
curl: (56) OpenSSL SSL_read: OpenSSL/1.1.1w: error:1408F10B:lib(20):func(143):reason(267), errno 0

 

[RMerlin]

Works fine for me. Make sure your router's clock is correct.

admin@RT-BE92U-B9B0:/tmp/home/root# curl -vvv https://map.baidu.com -o temp.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 180.76.11.169:443...
* Connected to map.baidu.com (180.76.11.169) port 443
* ALPN: curl offers http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4772 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  8 01:41:02 2024 GMT
*  expire date: Aug  9 01:41:01 2025 GMT
*  subjectAltName: host "map.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
* using HTTP/1.1
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
> GET / HTTP/1.1
> Host: map.baidu.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Cache-Control: private,max-age=0
< Connection: keep-alive
< Content-Type: text/html;charset=utf-8
< Date: Thu, 01 May 2025 15:05:52 GMT
< Expires: -1
< Http_x_bd_logid: 0351940395
< Http_x_bd_logid64: 0352036491788753930
< Http_x_bd_product: map
< Http_x_bd_subsys: webmap
< P3p: CP=" OTI DSP COR IVA OUR IND COM "
< P3p: CP=" OTI DSP COR IVA OUR IND COM "
< Server: Apache
< Set-Cookie: BAIDUID=222E65C6D7C8E4DC1D106E514C124515:FG=1; expires=Fri, 01-May-26 15:05:52 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
< Set-Cookie: BAIDUID=222E65C6D7C8E4DC681A9921E46571BF:FG=1; expires=Fri, 01-May-26 15:05:52 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
< Tracecode: 03519403951922185226050123
< Tracecode: 03519403951788753930050123
< Vary: Accept-Encoding
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< 
{ [5 bytes data]
100  299k    0  299k    0     0   145k      0 --:--:--  0:00:02 --:--:--  164k
* Connection #0 to host map.baidu.com left intact

 

[Lecan]

lijeep@RT-BE88U:/tmp/home/root# curl -vvv http://chiphell.com
*   Trying 117.69.71.61:80...
* Connected to chiphell.com (117.69.71.61) port 80
> GET / HTTP/1.1
> Host: chiphell.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 988
< Connection: keep-alive
< Server: EdgeOne_IS_OC
< Date: Thu, 01 May 2025 15:07:23 GMT
< EO-LOG-UUID: 13821628460139438014
<
* Connection #0 to host chiphell.com left intact
<script>function a(a){function n(){for(var a={wQzOV:_0x649a("0x4"),iTyzs:function(a,n){return a+n}},n=a[_0x649a("0x5")][_0x649a("0x6")]("|"),e=0;;){switch(n[e++]){case"0":t+="EO_Bot_Ssid=";continue;case"1":return t;case"2":t+="";continue;case"3":t=a[_0x649a("0x7")](t,3841064960);continue;case"4":var t="";continue}break}}var e={WTKkN:263166225,bOYDu:487741269,dtzqS:function(a,n){return a+n},wyeCN:1371588924,pCQRM:function(a){return a()}},t=0;return t+=e[_0x649a("0x0")],t+=e[_0x649a("0x1")],t=e[_0x649a("0x2")](t,e[_0x649a("0x3")]),[t,e[_0x649a("0x8")](n)][a]}var _0x49a6=["wyeCN","4|2|0|3|1","wQzOV","split","iTyzs","pCQRM","cookie","location.href=location.href.replace(/[?|&]tads/, '')","WTKkN","bOYDu","dtzqS"];(function(a,n){var e=function(n){for(;--n;)a.push(a.shift())};e(++n)})(_0x49a6,0x147);var _0x649a=function(a,n){a-=0;var e=_0x49a6[a];return e};document[_0x649a("0x9")]="__tst_status="+a(0)+"#;",document[_0x649a("0x9")]=a(1)+";",setTimeout(_0x649a("0xa"),0x4b0);</script>lijeep@RT-BE88U:/tmp/home/root#
lijeep@RT-BE88U:/tmp/home/root#
lijeep@RT-BE88U:/tmp/home/root# curl -vvv https://chiphell.com
*   Trying 117.69.71.61:443...
* Connected to chiphell.com (117.69.71.61) port 443
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=www.chiphell.com
*  start date: Feb 21 00:00:00 2025 GMT
*  expire date: Feb 21 23:59:59 2026 GMT
*  subjectAltName: host "chiphell.com" matched cert's "chiphell.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo ECC Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: chiphell.com
> User-Agent: curl/8.4.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* OpenSSL SSL_read: OpenSSL/1.1.1w: error:1408F10B:lib(20):func(143):reason(267), errno 0
* Closing connection
curl: (56) OpenSSL SSL_read: OpenSSL/1.1.1w: error:1408F10B:lib(20):func(143):reason(267), errno 0

 

[Lecan]

Works fine for me. Make sure your router's clock is correct.

admin@RT-BE92U-B9B0:/tmp/home/root# curl -vvv https://map.baidu.com -o temp.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 180.76.11.169:443...
* Connected to map.baidu.com (180.76.11.169) port 443
* ALPN: curl offers http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4772 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  8 01:41:02 2024 GMT
*  expire date: Aug  9 01:41:01 2025 GMT
*  subjectAltName: host "map.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
* using HTTP/1.1
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
> GET / HTTP/1.1
> Host: map.baidu.com
> User-Agent: curl/8.4.0
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Cache-Control: private,max-age=0
< Connection: keep-alive
< Content-Type: text/html;charset=utf-8
< Date: Thu, 01 May 2025 15:05:52 GMT
< Expires: -1
< Http_x_bd_logid: 0351940395
< Http_x_bd_logid64: 0352036491788753930
< Http_x_bd_product: map
< Http_x_bd_subsys: webmap
< P3p: CP=" OTI DSP COR IVA OUR IND COM "
< P3p: CP=" OTI DSP COR IVA OUR IND COM "
< Server: Apache
< Set-Cookie: BAIDUID=222E65C6D7C8E4DC1D106E514C124515:FG=1; expires=Fri, 01-May-26 15:05:52 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
< Set-Cookie: BAIDUID=222E65C6D7C8E4DC681A9921E46571BF:FG=1; expires=Fri, 01-May-26 15:05:52 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
< Tracecode: 03519403951922185226050123
< Tracecode: 03519403951788753930050123
< Vary: Accept-Encoding
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
{ [5 bytes data]
100  299k    0  299k    0     0   145k      0 --:--:--  0:00:02 --:--:--  164k
* Connection #0 to host map.baidu.com left intact

I think the time is correct +8 china.
how can I do a fully clean reset or reinstall the firmware, maybe some amtm scripts mess up the system. (I already try factory reset on webui)

 

[RMerlin]

Remove or rename the entware folder on your USB disk.

Then on the Factory Default reset page make sure the option to initialize all settings is also checked next to the Restore button. That will remove the content of the /jffs partition in addition to the factory default reset.

If it still fails, it might be a China-specific issue, maybe a proxy is rejecting the curl's User Agent. In any case it does not look like a firmware issue since it works fine here.

You could also try with wget.

 

[Lecan]

Remove or rename the entware folder on your USB disk.

Then on the Factory Default reset page make sure the option to initialize all settings is also checked next to the Restore button. That will remove the content of the /jffs partition in addition to the factory default reset.

If it still fails, it might be a China-specific issue, maybe a proxy is rejecting the curl's User Agent. In any case it does not look like a firmware issue since it works fine here.

You could also try with wget.

The strange thing is that my PC can run the same command fine. PC is connected to the Internet through this router. But router can not, both curl and wget

 

[Lecan]

sorry, the pic was compressed