microsoft
broken Openssl TLSv1.3 connection on Debian Trixie (13.1)
Windows Version
Microsoft Windows [Version 10.0.26200.7019]
WSL Version
2.6.2.0
Are you using WSL 1 or WSL 2?
- [x] WSL 2
- [ ] WSL 1
Kernel Version
6.6.87.2-microsoft-standard-WSL2
Distro Version
Debian 13.1
Other Software
OpenSSL 3.5.1 1 Jul 2025 curl 8.14.1
Repro Steps
curl -v https://repo.packagist.org/packages.json
Expected Behavior
HTTP/2 200
Actual Behavior
* Recv failure: Connection reset by peer
* TLS connect error: error:00000000:lib(0)::reason(0)
* OpenSSL SSL_connect: Connection reset by peer in connection to repo.packagist.org:443
* closing connection #0
curl: (35) Recv failure: Connection reset by peer
Also tested in docker. Here results:
- curl -> Windows = [v] no problem
- curl -> Debain 13.1 -> Windows = [x] problem
- curl -> Debian 12.12 (in docker) -> Debain 13.1 -> Windows = [v] no problem
- curl -> Debian 13.1 (in docker) -> Debain 13.1 -> Windows = [x] problem
result of openssl s_client -connect repo.packagist.org:443
Connecting to 169.150.247.34
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 0 bytes and written 1560 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
wget works fine.
openssl with argument -tls1_2 works fine.
curl with argument --tls-max 1.2 works fine.
Diagnostic Logs
WslLogs-2025-11-09_13-46-43.zip
Logs are required for review from WSL team
If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'. Otherwise, please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.
How to collect WSL logs
Download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:
Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1
The script will output the path of the log file once done.
If this is a networking issue, please use collect-networking-logs.ps1, following the instructions in Collect WSL logs for networking issues
Once completed please upload the output files to this GitHub issue.
See Collect WSL logs (recommended method).
If you choose to email these logs instead of attaching them to the bug, please send them to [email protected] with the GitHub issue number in the subject, and include a link to your GitHub issue comment in the message body, and reply with '/emailed-logs'.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
No logs.etl found in the archive. Make sure that you ran collect-wsl-logs.ps1 as administrator and that the logs.etl file is in the archive.
Diagnostic information
Issue was edited and new log file was found: https://github.com/user-attachments/files/23437477/WslLogs-2025-11-09_13-46-43.zip
.wslconfig found
Detected appx version: 2.6.2.0
No logs.etl found in archive.
Error while parsing the logs. See action page for details
Possible because of this error:
wpr.exe : The term 'wpr.exe' is not recognized as the name of a cmdlet, function, script file, or operable program.
Thank you for reporting this @SailorMax. That could be caused by AV / custom security software. Do you have anything that could intercept / affect the connection from WSL ?
One thing you could try would be mirrored networking
That could be caused by AV / custom security software.
I use default Windows settings with default Defender. Plus the problem only with Debian 13.1. Debian 12.12 in same WSL works fine.
Do you have anything that could intercept / affect the connection from WSL ?
I don't think so. Checked everything. Nothing found.
One thing you could try would be mirrored networking
thanks. Will try.