[Bug]: qbittorrent-nox + "SSL/TLS handshake failed"

[maaaaz]

Problem description

After installing the latest qbittorrent-nox, I get a lot of TLS-related error messages, saying that qbittorrent-nox can't validate any certificate issuer of any TLS communication.

So any TLS communication initiated by qbittorrent-nox fails.

What steps will reproduce the bug?

1. Install qbittorrent-nox

Commandline: apt install qbittorrent-nox
Install: fontconfig:arm (2.15.0, automatic), xcb-util:arm (0.4.1, automatic), freetype:arm (2.13.3, automatic), liband    roid-posix-semaphore:arm (0.1-3, automatic), harfbuzz:arm (10.1.0-1, automatic), double-conversion:arm (3.3.0, automat    ic), lld:arm (19.1.5, automatic), xcb-util-renderutil:arm (0.3.10, automatic), libllvm:arm (19.1.5, automatic), libway    land:arm (1.23.1-1, automatic), qt6-qtbase:arm (6.8.1, automatic), libcompiler-rt:arm (19.1.5, automatic), libcairo:ar    m (1.18.2, automatic), python-pip:arm (24.3.1, automatic), libxext:arm (1.3.6, automatic), boost:arm (1.83.0-3, automa    tic), xcb-util-keysyms:arm (0.4.1, automatic), python-ensurepip-wheels:arm (3.12.8, automatic), libxml2:arm (2.13.5, a    utomatic), libxfixes:arm (6.0.1, automatic), vulkan-loader:arm (0.0.3, automatic), llvm:arm (19.1.5, automatic), gdbm:    arm (1.24, automatic), libsm:arm (1.2.4-1, automatic), libxi:arm (1.8.2, automatic), libxt:arm (1.3.1, automatic), lib    graphite:arm (1.3.14-2, automatic), xorg-xauth:arm (1.1.3-1, automatic), glib:arm (2.82.4, automatic), libxkbcommon:ar    m (1.7.0, automatic), libglvnd:arm (1.7.0, automatic), xcb-util-cursor:arm (0.1.5-1, automatic), libxdmcp:arm (1.1.5,     automatic), make:arm (4.4.1, automatic), ndk-sysroot:arm (27c, automatic), libxrender:arm (0.9.11, automatic), mesa:ar    m (24.2.8, automatic), libjpeg-turbo:arm (3.1.0, automatic), libtorrent-rasterbar:arm (2.0.10-1, automatic), ttf-dejav    u:arm (2.37-8, automatic), libandroid-shmem:arm (0.5, automatic), pkg-config:arm (0.29.2-2, automatic), xcb-util-image    :arm (0.4.1-1, automatic), xcb-util-wm:arm (0.4.2, automatic), libxshmfence:arm (1.3.2-1, automatic), clang:arm (19.1.    5, automatic), libxxf86vm:arm (1.1.5-1, automatic), libpixman:arm (0.44.2, automatic), opengl:arm (0.1, automatic), li    bdrm:arm (2.4.124, automatic), libffi:arm (3.4.6-1, automatic), python:arm (3.12.8, automatic), libice:arm (1.1.1, aut    omatic), vulkan-loader-generic:arm (1.4.303, automatic), xkeyboard-config:arm (2.43-1, automatic), liblzo:arm (2.10-3,     automatic), brotli:arm (1.1.0, automatic), libpng:arm (1.6.44, automatic), libx11:arm (1.8.10, automatic), libxau:arm     (1.0.11, automatic), libxcb:arm (1.17.0, automatic), qbittorrent-nox:arm (5.0.2), libxmu:arm (1.2.1, automatic), libs    qlite:arm (3.47.2, automatic)

2. Launching it and having this in the logs:

(W) 2024-12-14T14:06:04 - SSL error, URL: "https://download.db-ip.com/free/dbip-country-lite-2024-12.mmdb.gz", errors: "The issuer certificate of a locally looked up certificate could not be found"
(W) 2024-12-14T14:06:04 - Couldn't download IP geolocation database file. Reason: SSL/TLS handshake failed

3. Understanding that any TLS communication, for instance when adding a torrent, induces this error, for instance adding a Debian netinst ISO torrent:

(N) 2024-12-14T14:12:29 - Downloading torrent... Source: "https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/debian-12.8.0-amd64-netinst.iso.torrent"
(W) 2024-12-14T14:12:29 - SSL error, URL: "https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/debian-12.8.0-amd64-netinst.iso.torrent", errors: "The issuer certificate of a locally looked up certificate could not be found"
(W) 2024-12-14T14:12:29 - Failed to add torrent. Source: "https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/debian-12.8.0-amd64-netinst.iso.torrent". Reason: "SSL/TLS handshake failed"

4. Trying to debug

$ strace -o debug qbittorrent-nox

[...]
3015 openat(AT_FDCWD, "/etc/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3016 openat(AT_FDCWD, "/usr/lib/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3017 openat(AT_FDCWD, "/usr/share/ssl/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3018 openat(AT_FDCWD, "/usr/local/ssl/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3019 openat(AT_FDCWD, "/var/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3020 openat(AT_FDCWD, "/usr/local/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3021 openat(AT_FDCWD, "/etc/openssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3022 openat(AT_FDCWD, "/opt/openssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3023 openat(AT_FDCWD, "/etc/ssl/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3024 mprotect(0xa68de000, 4096, PROT_READ|PROT_WRITE) = 0
3025 mprotect(0xa68de000, 4096, PROT_READ)   = 0
3026 openat(AT_FDCWD, "/etc/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3027 openat(AT_FDCWD, "/usr/lib/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3028 openat(AT_FDCWD, "/usr/share/ssl/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3029 openat(AT_FDCWD, "/usr/local/ssl/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3030 openat(AT_FDCWD, "/var/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3031 openat(AT_FDCWD, "/usr/local/ssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3032 openat(AT_FDCWD, "/etc/openssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3033 openat(AT_FDCWD, "/opt/openssl/certs/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3034 openat(AT_FDCWD, "/etc/ssl/", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3035 fstatat64(AT_FDCWD, "/usr/local/share/certs/ca-root-nss.crt", 0xbba161b8, 0) = -1 ENOENT (No such file or directory)
3036 faccessat(AT_FDCWD, "/usr/local/share/certs", F_OK) = -1 ENOENT (No such file or directory)
3037 openat(AT_FDCWD, "/usr/local/share/certs", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
3038 fstatat64(AT_FDCWD, "/etc/pki/tls/certs/ca-bundle.crt", 0xbba161b8, 0) = -1 ENOENT (No such file or directory)
3039 faccessat(AT_FDCWD, "/etc/pki/tls/certs", F_OK) = -1 ENOENT (No such file or directory)
3040 openat(AT_FDCWD, "/etc/pki/tls/certs", O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
[...]
3223 openat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/cert.pem", O_RDONLY|O_LARGEFILE) = 10

So we can see that the cert.pem, coming from the ca-certificates package, is found, but no other CA public key is used.
That could explains the error ?!

What is the expected behavior?

No TLS error.

System information

Termux Variables:
TERMUX_APK_RELEASE=F_DROID
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=6195
TERMUX_IS_DEBUGGABLE_BUILD=0
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.0
TERMUX__USER_ID=0
Packages CPU architecture:
arm
Subscribed repositories:
# sources.list
deb https://mirrors.sahilister.in/termux/termux-main stable main
# x11-repo (sources.list.d/x11.list)
deb https://mirrors.sahilister.in/termux/termux-x11 x11 main
# root-repo (sources.list.d/root.list)
deb https://mirrors.sahilister.in/termux/termux-root root stable
Updatable packages:
All packages up to date
termux-tools version:
1.44.5
Android version:
9
Kernel build information:
Linux localhost 4.9.113 #1 SMP PREEMPT Fri Jul 9 10:16:54 MSK 2021 armv7l Android
Device manufacturer:
X3
Device model:
Model-X3
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so

[funsafe-ptr]

❯ strace -o debug qbittorrent-nox
WebUI will be started shortly after internal preparations. Please wait...

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080
The WebUI administrator username is: admin
The WebUI administrator password was not set. A temporary password is provided for this session: HKf7YyaeD
You should set your own password in program preferences.

Download just fine from
https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/debian-12.8.0-amd64-netinst.iso.torrent

[TomJo2000]

Looking at 4. here it looks like we missed a couple fixed paths that need to be patched.

[maaaaz]

❯ strace -o debug qbittorrent-nox
WebUI will be started shortly after internal preparations. Please wait...

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080
The WebUI administrator username is: admin
The WebUI administrator password was not set. A temporary password is provided for this session: HKf7YyaeD
You should set your own password in program preferences.

Download just fine from https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/debian-12.8.0-amd64-netinst.iso.torrent

You had absolutely no TLS error ? Do you have the "Ignore SSL/TLS error" enabled on your qbittorrent-instance ?

[maaaaz]

Just another information in order to allow you clearly identify the root cause: from the same termuxed device, a curl to a TLS website correctly works without any SSL/TLS error:

$ curl -v "https://download.db-ip.com/free/dbip-country-lite-2024-12.mmdb.gz" -o test.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host download.db-ip.com:443 was resolved.
* IPv6: (none)
* IPv4: 172.67.75.166, 104.26.4.15, 104.26.5.15
*   Trying 172.67.75.166:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
*  CApath: /data/data/com.termux/files/usr/etc/tls/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2522 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=db-ip.com
*  start date: Nov  8 00:28:32 2024 GMT
*  expire date: Feb  6 00:28:31 2025 GMT
*  subjectAltName: host "download.db-ip.com" matched cert's "*.db-ip.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* Connected to download.db-ip.com (172.67.75.166) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://download.db-ip.com/free/dbip-country-lite-2024-12.mmdb.gz
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: download.db-ip.com]
* [HTTP/2] [1] [:path: /free/dbip-country-lite-2024-12.mmdb.gz]
* [HTTP/2] [1] [user-agent: curl/8.11.0]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET /free/dbip-country-lite-2024-12.mmdb.gz HTTP/2
> Host: download.db-ip.com
> User-Agent: curl/8.11.0
> Accept: */*
>
* Request completely sent off
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
< HTTP/2 200
< date: Sun, 15 Dec 2024 12:20:02 GMT
< content-type: application/octet-stream
< content-length: 3705560
< last-modified: Sun, 01 Dec 2024 06:01:51 GMT
< etag: "674bfbcf-388ad8"
< x-iplb-request-id: AC477B44:4CF6_93878F2E:0050_674BFC38_3F6ACED6:6F90
< x-iplb-instance: 54170
< cache-control: max-age=28800
< cf-cache-status: HIT
< age: 35
< accept-ranges: bytes
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=axXxVKTQedw9fWUZ8V4o2i3NXV1ECsr0Oucu7A4Sng6TVu%2Fm4%2FqZkynexURNuCHidzP50g6sbpEP5ckMHMEhSRcGR5yERQ0jHdl9nKreE4dhTlkZUHUZMo39W5QhPjP1nbNcGA%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8f2662a8889b02de-CDG
< alt-svc: h3=":443"; ma=86400
< server-timing: cfL4;desc="?proto=TCP&rtt=3745&min_rtt=2854&rtt_var=1452&sent=5&recv=8&lost=0&retrans=0&sent_bytes=3417&recv_bytes=785&delivery_rate=840150&cwnd=251&unsent_bytes=0&cid=ac4651eef13841de&ts=114&x=0"
<
{ [5 bytes data]
100 3618k  100 3618k    0     0  12.7M      0 --:--:-- --:--:-- --:--:-- 12.8M
* Connection #0 to host download.db-ip.com left intact

With the strace:

$ url="https://download.db-ip.com/free/dbip-country-lite-2024-12.mmdb.gz"
$ strace curl $url |& grep open
openat(AT_FDCWD, "/dev/__properties__/property_info", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/__properties__/properties_serial", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/__properties__/u:object_r:debug_prop:s0", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/__properties__/u:object_r:exported_default_prop:s0", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/system/etc/ld.config.28.txt", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
read(3, "open the files\nnamespace.default"..., 1024) = 1024
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libtermux-exec.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libcurl.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 4
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libz.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libc.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/system/lib/libc.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 6
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libdl.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/system/lib/libdl.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 7
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libnghttp3.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 8
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libnghttp2.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 9
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libssh2.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 10
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libssl.so.3", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 11
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libcrypto.so.3", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 12
openat(AT_FDCWD, "/proc/sys/vm/overcommit_memory", O_RDONLY|O_LARGEFILE) = 3
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/__properties__/property_info", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/__properties__/properties_serial", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/__properties__/u:object_r:exported2_default_prop:s0", O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3
openat(AT_FDCWD, "/system/lib/libnetd_client.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/system/lib/libc++.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 4
openat(AT_FDCWD, "/system/lib/libm.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
openat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/libz.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
openat(AT_FDCWD, "/data/data/com.termux/files/home/.curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/data/data/com.termux/files/home/.config/curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/data/data/com.termux/files/home/.curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/cert.pem", O_RDONLY|O_LARGEFILE) = 6
openat(AT_FDCWD, "/data/misc/zoneinfo/current/tzdata", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/system/usr/share/zoneinfo/tzdata", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 6
openat(AT_FDCWD, "/data/misc/zoneinfo/current/tzdata", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/system/usr/share/zoneinfo/tzdata", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 6

We can see that these files are correctly parsed:

openat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3
openat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/cert.pem", O_RDONLY|O_LARGEFILE) = 6

FYI:

• the /data/data/com.termux/files/usr/etc/tls/certs indicated by curl does not exist.
• the /data/data/com.termux/files/usr/etc/tls/cert.pem file comes from the ca-certificates package.

[funsafe-ptr]

How do you set that setting? Anyway, this is a fresh install of qbittorrent and qbittorrent-nox.

This is from strace when looking up the word "cert"

...
newfstatat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/qt6/plugins/tls/libqcertonlybackend.so", {st_mode=S_IFREG|0600, st_size=71168, ...}, AT_SYMLINK_NOFOLLOW) = 0
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/qt6/plugins/tls/libqcertonlybackend.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
openat(AT_FDCWD, "/data/data/com.termux/files/usr/lib/qt6/plugins/tls/libqcertonlybackend.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "cert = $insta::certout # insta.c"..., 4096) = 40
openat(AT_FDCWD, "/etc/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/var/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/openssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/opt/openssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/var/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/ssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/openssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/opt/openssl/certs/", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/pki/tls/certs/ca-bundle.crt", 0x7feb7de780, 0) = -1 ENOENT (No such file or directory)
faccessat(AT_FDCWD, "/etc/pki/tls/certs", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/pki/tls/certs", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/share/certs/ca-root-nss.crt", 0x7feb7de780, 0) = -1 ENOENT (No such file or directory)
faccessat(AT_FDCWD, "/usr/local/share/certs", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/certs", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
...
openat(AT_FDCWD, "/data/data/com.termux/files/usr/etc/tls/cert.pem", O_RDONLY) = 10
fstat(10, {st_mode=S_IFREG|0600, st_size=234847, ...}) = 0
read(10, "##\n## Bundle of CA Root Certific"..., 4096) = 4096
read(10, "BhMC\nSUUxEjAQBgNVBAoTCUJhbHRpbW9"..., 4096) = 4096
read(10, "84FoVxp7Z\n8VlIMCFlA2zs6SFz7JsDoe"..., 4096) = 4096
madvise(0x7068965000, 4096, MADV_DONTNEED) = 0
madvise(0x7068965000, 4096, MADV_DONTNEED) = 0
read(10, "7z\nPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8"..., 4096) = 4096
madvise(0x7068896000, 4096, MADV_DONTNEED) = 0
read(10, "5N78gDGIc/oav7PKaf8MOh2tTY\nbitTk"..., 4096) = 4096
read(10, "ENBMB4XDTA2MTExMDAwMDAw\nMFoXDTMx"..., 4096) = 4096
...

[maaaaz]

How do you set that setting?

Like this:

[funsafe-ptr]

No, the checkbox is not enabled.