# Problems with openssl

## micaldas

Hi,

I'm using Gentoo amd64 and tried to access python.org, through Firefox 52.8.0 64bit, and after writing the url I just get a blank page with a "New Tab" header.

I then tried to access it through Opera 12.16 and got the following error message:

 *Quote:*   

> You tried to access the address http://python.org/, which is currently unavailable. Please make sure that the web address (URL) is correctly spelled and punctuated, then try reloading the page.
> 
> Secure connection: fatal error (70) from server.
> 
> https://www.python.org/
> ...

 

I don't have a firewall or am behind a LAN, but I do use Nordvpn and tried to access python.org after exiting the vpn, same result.

I uninstalled openssl and reinstalled it, making sure all the use flags were included, rebooted, but got the same results.

Below is the output of openssl s_client -connect www.python.org:443

```
CONNECTED(00000003)

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA

verify return:1

depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA

verify return:1

depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3359300, C = US, ST = New Hampshire, L = Wolfeboro, O = Python Software Foundation, CN = www.python.org

verify return:1

write:errno=104

---

Certificate chain

 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org

   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA

 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA

   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIH9zCCBt+gAwIBAgIQDEqEI45zRFWbuE0eDzGIgzANBgkqhkiG9w0BAQsFADB1

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk

IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDMyODAwMDAwMFoXDTE4MDkyNzEy

MDAwMFowgdgxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB

BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF

EwczMzU5MzAwMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhhbXBzaGlyZTES

MBAGA1UEBxMJV29sZmVib3JvMSMwIQYDVQQKExpQeXRob24gU29mdHdhcmUgRm91

bmRhdGlvbjEXMBUGA1UEAxMOd3d3LnB5dGhvbi5vcmcwggEiMA0GCSqGSIb3DQEB

AQUAA4IBDwAwggEKAoIBAQDB1LZG1YgdWTuFFzVTgBk8HYSupyva2VqB9E3NbGBC

Ys5UPHzAl+aoiV6+by9kTEyFuV6GWOm3Lmtm9MRgCbEyKOC8du4nys2iA7Po24XR

BgZT0dGoLR8b7+DUFwYTaFGFfCsJu+t02buVfeDmfh3DVRtmYvhkSff2/mZLQUDf

bB+AyDauW5jKNpTK3HEAz6VapUxNfFJ5b4dEDS3KwUw28nl7UKny2T92nge9pOtc

HVr1biJEZualZKrdRdf96soss93l2o43Ve3qnS4Bu5obPNq+Sxbr6mlTF2zpZ3Wq

n7NjODIclJIanv6R6JXUP1xYYbzm5NF3K/DcBORuW9fhAgMBAAGjggQdMIIEGTAf

BgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl0yHU+PjWDzAdBgNVHQ4EFgQUaQEj0/XI

KYyyrLVN9NnYEA2n5ZAwggFCBgNVHREEggE5MIIBNYIOd3d3LnB5dGhvbi5vcmeC

D2RvY3MucHl0aG9uLm9yZ4IPYnVncy5weXRob24ub3Jngg93aWtpLnB5dGhvbi5v

cmeCDWhnLnB5dGhvbi5vcmeCD21haWwucHl0aG9uLm9yZ4IPcHlwaS5weXRob24u

b3JnghRwYWNrYWdpbmcucHl0aG9uLm9yZ4IQbG9naW4ucHl0aG9uLm9yZ4ISZGlz

Y3Vzcy5weXRob24ub3Jnggx1cy5weWNvbi5vcmeCB3B5cGkuaW+CDGRvY3MucHlw

aS5pb4IIcHlwaS5vcmeCDWRvY3MucHlwaS5vcmeCD2RvbmF0ZS5weXBpLm9yZ4IT

ZGV2Z3VpZGUucHl0aG9uLm9yZ4ITd3d3LmJ1Z3MucHl0aG9uLm9yZ4IKcHl0aG9u

Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF

BwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9z

aGEyLWV2LXNlcnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0

LmNvbS9zaGEyLWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1s

AgEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAH

BgVngQwBATCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz

cC5kaWdpY2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2lj

ZXJ0LmNvbS9EaWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5j

cnQwDAYDVR0TAQH/BAIwADCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2ALvZ37wf

inG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABYm2XOKQAAAQDAEcwRQIhAP8A

JukLZLaIMulwFxQHFGoreXVLx397sDgl+XPt8y6oAiBBnYbAzjXczq6hoBuqSkes

YCJ/h5uuNw/tu8OU8csbbQB1AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXW

idDdAAABYm2XOKEAAAQDAEYwRAIgJXNv6y7sMRPITc3/ntSX5VIY7RPtq9y1tZhM

adthbjgCICLiyFxrsiRqUUeeBGNvte7YB4VJLhbEnahdkzkmKXBRMA0GCSqGSIb3

DQEBCwUAA4IBAQBawAzb80VNpXwfSiUqxN1QxrV5/dNfrrdnyOHGNwyucSI8k2pK

5VPkSvdCvKn+nSQ3dfpLy8w4kdDW8H4uuO5XwoIBhKyPQSypVe+Rfy7VhNhdwYX/

fhSkmQZCyCRmvkEStJ/gFr0C66INZNXmN+89nsDr+Omqd5U7JPbaJ1xOFFv2uF37

KR/9v04l7k0Ob4KkUj58Ya3Up9risok7hkCcyOtEM9mA9XQ14zhmqOXk+yPL98kB

rgypeNHNsPRv1woG60+M5kRN+yUAuYRS+6EJvvmL74+ZRFjZ1Ww9z/nqopcUpG+3

OVtSWCKzwcEQkezlB5p9dzKIQ/1oiZSAZo39

-----END CERTIFICATE-----

subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org

issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3655 bytes and written 269 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: 

    Session-ID-ctx: 

    Master-Key: 4AEB49D0336B3E65159CEFE678D85B46A5A4F3AF556D67C712643E5A9B0B38E16C5AF9A377B2DF7BA934AD083B64DA88

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1532294823

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: yes

---

```

Honestly I really don't know how to interpret this output, I found the command while looking for information on how to troubleshoot openssl, but I hope it may be of use.

Any help would be greatly appreciated.

----------

## LIsLinuxIsSogood

Opera 12 is limited I think in the ability to process secure transactions with websites.  I have experienced this on a desktop of mine where I still have both opera and opera-beta installed.  Try installing opera-beta, as long as you are not worried about the overhead of storage space and resources used like CPU and RAM.

EDIT: I just remembered you should probably also check if installing firefox-bin, would fix it...or please include some more package information about the currently installed version of firefox maybe. (emerge --info firefox, for example)

----------

## micaldas

Hi and thank you for taking the time to answer.

I already have firefox-bin installed. Version 60.1.0

The out put of emerge --info firefox is the following:

```
www-client/firefox-52.8.0::gentoo was built with the following:

USE="gmp-autoupdate jemalloc pulseaudio -bindist -custom-cflags -custom-optimization -dbus -debug -eme-free -gtk2 -hardened -hwaccel -jack (-neon) -pgo (-rust) (-selinux) -startup-notification (-system-cairo) -system-harfbuzz -system-icu -system-jpeg -system-libevent -system-libvpx -system-sqlite -test -wifi" L10N="-ach -af -an -ar -as -ast -az -bg -bn-BD -bn-IN -br -bs -ca -cak -cs -cy -da -de -dsb -el -en-GB -en-ZA -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -ff -fi -fr -fy -ga -gd -gl -gn -gu -he -hi -hr -hsb -hu -hy -id -is -it -ja -ka -kab -kk -km -kn -ko -lij -lt -lv -mai -mk -ml -mr -ms -nb -nl -nn -or -pa -pl -pt-BR -pt-PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv -ta -te -th -tr -uk -uz -vi -xh -zh-CN -zh-TW"

CFLAGS="-march=native -pipe"

CXXFLAGS="-march=native -pipe -fno-delete-null-pointer-checks -fno-lifetime-dse -fno-schedule-insns2"

LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-rpath=/usr/lib64/firefox,--enable-new-dtags"

```

The problem is not Opera, as I had the same problem with firefox 52.8.0.

----------

## Hu

What is the output of emerge -pv dev-libs/openssl dev-libs/nss?

----------

## micaldas

Hi Hu,

The output is this,

```
The following mask changes are necessary to proceed:

 (see "package.unmask" in the portage(5) man page for more details)

# required by app-crypt/rhash-1.3.5::gentoo[ssl,-libressl]

# required by dev-util/cmake-3.9.6::gentoo

# required by media-gfx/graphite2-1.3.10::gentoo

# required by media-libs/harfbuzz-1.7.6::gentoo[graphite]

# required by x11-libs/pango-1.40.14-r1::gentoo

# required by x11-libs/vte-0.48.4::gentoo

# required by x11-terms/terminator-1.91::gentoo

# required by @selected

# required by @world (argument)

# /usr/portage/profiles/package.mask:

# Lars Wendler <polynomial-c@gentoo.org> (26 Aug 2016)

# Masked while being tested and reverse deps aren't fully compatible

=dev-libs/openssl-1.1.1_pre8

NOTE: The --autounmask-keep-masks option will prevent emerge

      from creating package.unmask or ** keyword changes.

 * In order to avoid wasting time, backtracking has terminated early

 * due to the above autounmask change(s). The --autounmask-backtrack=y

 * option can be used to force further backtracking, but there is no

 * guarantee that it will produce a solution.

```

I'm now convinced that the problem is not in Gentoo.

Today I had to reinstall Sackware on a another computer and, after I did it, I saw that it had the exact same problem. Also I noticed that the problem is not specific to Pythons' site. I had the same situation when I tried to go to Perl's and Ruby's site. I have no problem at all going to any other sites but these.

----------

## LIsLinuxIsSogood

So what you are saying is that there is a conspiracy among those three programming languages and their web admins to specifically prevent you or some group of people from having a good experience with browsing the web???  Probably not.    :Confused:   Although I would suspect that a more thorough set of tests (from a web usability standpoint should be) to check the situation from some other browsers as well, like have you tried: Opera, IE, Chromium, Safari and some of the smaller ones too that do not have the same capabilities, e.g. for JS and other revisions to newer web standards?  Checking from at least one of each would be good before jumping to any conclusions about how those sites operate on just any linux computer.  If you want to I would suggest looking at the list of packages in the portion of the tree that is located in gentoo main repo within  www-client/*

----------

## Anon-E-moose

quit trying to use openssl 1.1.*

----------

