GNU bug report logs - #18526
Failure to download from github due to TLS fatal alert

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Mon, 22 Sep 2014 12:34:01 UTC

Severity: normal

Merged with 18524

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18526 in the body.
You can then email your comments to 18526 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#18526; Package guix. (Mon, 22 Sep 2014 12:34:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 22 Sep 2014 12:34:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: bug-guix <at> gnu.org
Subject: Failure to download from github due to TLS fatal alert
Date: Mon, 22 Sep 2014 14:33:13 +0200
[Message part 1 (text/plain, inline)]
From guix-devel.

[Message part 2 (message/rfc822, inline)]
From: ludo <at> gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw <at> netris.org>
Cc: guix-devel <at> gnu.org
Subject: Re: Guix unable to download from github due to TLS fatal alert
Date: Wed, 13 Aug 2014 23:56:30 +0200
Mark H Weaver <mhw <at> netris.org> skribis:

> Here's what happens:
>
> $ guix download https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
> starting download of `guix-file.cszPnB' from `https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> following redirection to `https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum A TLS fatal alert has been received.> handshake)'.
> failed to download "guix-file.cszPnB" from "https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz"
> guix download: error: https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz: download failed

I see that as well.  However, other github.com URLs works:

--8<---------------cut here---------------start------------->8---
$ guix download https://github.com/flavio/qjson/archive/0.8.1.tar.gz
starting download of `guix-file.tL8gal' from `https://github.com/flavio/qjson/archive/0.8.1.tar.gz'...
following redirection to `https://codeload.github.com/flavio/qjson/tar.gz/0.8.1'...
https://codeload.github.com/.../0.8.1	100.0% of 71.6 KiB
/gnu/store/fqfm3zm9pzwgic9sz2x8hk8ykm9yhkqw-0.8.1.tar.gz
163fspi0xc705irv79qw861fmh68pjyla9vx3kqiq6xrdhb9834j

$ guix download https://github.com/maebert/jrnl/archive/1.8.4.tar.gz
starting download of `guix-file.oK809e' from `https://github.com/maebert/jrnl/archive/1.8.4.tar.gz'...
following redirection to `https://codeload.github.com/maebert/jrnl/tar.gz/1.8.4'...
https://codeload.github.com/.../1.8.4	100.0% of 162.4 KiB
/gnu/store/cb39bf5ljrglj72bxarcsws241qhw5a8-1.8.4.tar.gz
019ky09sj5i7frmca0imv4jm46mn3f4lzah2wmiwxh22cisj7ksn
--8<---------------cut here---------------end--------------->8---

With debugging enabled in build/download.scm, the relevant part is:

--8<---------------cut here---------------start------------->8---
gnutls: [699|3] HSK[0x104e530]: CLIENT HELLO was queued [249 bytes]
gnutls: [699|7] HWRITE: enqueued [CLIENT HELLO] 249. Total 249 bytes.
gnutls: [699|7] HWRITE FLUSH: 249 bytes in buffer.
gnutls: [699|4] REC[0x104e530]: Preparing Packet Handshake(22) with length: 249 and min pad: 0
gnutls: [699|9] ENC[0x104e530]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
gnutls: [699|7] WRITE: enqueued 254 bytes for 0xe. Total 254 bytes.
gnutls: [699|4] REC[0x104e530]: Sent Packet[1] Handshake(22) in epoch 0 and length: 254
gnutls: [699|7] HWRITE: wrote 1 bytes, 0 bytes left.
gnutls: [699|7] WRITE FLUSH: 254 bytes in buffer.
gnutls: [699|7] WRITE: wrote 254 bytes, 0 bytes left.
gnutls: [699|2] ASSERT: gnutls_buffers.c:1075
gnutls: [699|7] READ: Got 5 bytes from 0xe
gnutls: [699|7] READ: read 5 bytes from 0xe
gnutls: [699|7] RB: Have 0 bytes into buffer. Adding 5 bytes.
gnutls: [699|7] RB: Requested 5 bytes
gnutls: [699|4] REC[0x104e530]: SSL 3.3 Alert packet received. Epoch 0, length: 2
gnutls: [699|4] REC[0x104e530]: Expected Packet Handshake(22)
gnutls: [699|4] REC[0x104e530]: Received Packet Alert(21) with length: 2
gnutls: [699|7] READ: Got 2 bytes from 0xe
gnutls: [699|7] READ: read 2 bytes from 0xe
gnutls: [699|7] RB: Have 5 bytes into buffer. Adding 2 bytes.
gnutls: [699|7] RB: Requested 7 bytes
gnutls: [699|4] REC[0x104e530]: Decrypted Packet[0] Alert(21) with length: 2
gnutls: [699|4] REC[0x104e530]: Alert[2|40] - Handshake failed - was received
--8<---------------cut here---------------end--------------->8---

Wget can be made to fail similarly:

--8<---------------cut here---------------start------------->8---
$ wget --secure-protocol=SSLv3 -O /dev/null https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
--2014-08-13 23:48:53--  https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving github.com... 192.30.252.128
Connecting to github.com|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz [following]
--2014-08-13 23:48:54--  https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving cloud.github.com... 54.230.44.78, 54.230.44.145, 54.230.44.189, ...
Connecting to cloud.github.com|54.230.44.78|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Unable to establish SSL connection.
--8<---------------cut here---------------end--------------->8---

But its default --secure-protocol=auto just works, although its gnutls.c
just seems to use the default priorities like we do.

Further investigation needed...

Ludo’.


Information forwarded to bug-guix <at> gnu.org:
bug#18526; Package guix. (Mon, 22 Sep 2014 13:33:04 GMT) Full text and rfc822 format available.

Message #8 received at 18526 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 18526 <at> debbugs.gnu.org
Subject: Re: bug#18526: Failure to download from github due to TLS fatal alert
Date: Mon, 22 Sep 2014 15:32:43 +0200
[Message part 1 (text/plain, inline)]
The culprit is that our client would not support the TLS ‘SERVER NAME’
extension, unlike the wget and gnutls-cli (this is enabled simply by
calling ‘gnutls_server_name_set’.)  Here’s a proof-of-concept
workaround:

[Message part 2 (text/x-patch, inline)]
diff --git a/guix/build/download.scm b/guix/build/download.scm
index d98933a..b44302f 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -112,6 +112,24 @@ abbreviation of URI showing the scheme, host, and basename of the file."
       "Hold a weak reference from FROM to TO."
       (hashq-set! table from to))))
 
+(use-modules (system foreign))
+
+(define set-server-name!
+  (let* ((lib  (string-append (getenv "HOME") "/.guix-profile/lib/libgnutls"))
+         (ptr  (dynamic-func "gnutls_server_name_set"
+                             (dynamic-link lib)))
+         (proc (pointer->procedure int ptr
+                                   (list '* int '* size_t))))
+    (lambda (session type name)
+      ;; SESSION is a SMOB, and the 'gnutls_session_t' pointer is in its
+      ;; second cell.
+      (let* ((cell    (make-pointer (+ (sizeof '*) (object-address session))))
+             (session (dereference-pointer cell)))
+        (zero? (proc session type
+                     (string->pointer name) (string-length name)))))))
+
+(define GNUTLS_NAME_DNS 1)
+
 (define (tls-wrap port)
   "Return PORT wrapped in a TLS connection."
   (define (log level str)
@@ -119,6 +137,7 @@ abbreviation of URI showing the scheme, host, and basename of the file."
             "gnutls: [~a|~a] ~a" (getpid) level str))
 
   (let ((session (make-session connection-end/client)))
+    (set-server-name! session GNUTLS_NAME_DNS "cloud.github.com")
     (set-session-transport-fd! session (fileno port))
     (set-session-default-priority! session)
     (set-session-credentials! session (make-certificate-credentials))
[Message part 3 (text/plain, inline)]
I’ll add bindings for ‘gnutls_server_name_set’ in GnuTLS proper, and
then we can correctly address this bug.

Ludo’.

Reply sent to ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility. (Mon, 22 Sep 2014 19:20:03 GMT) Full text and rfc822 format available.

Notification sent to ludo <at> gnu.org (Ludovic Courtès):
bug acknowledged by developer. (Mon, 22 Sep 2014 19:20:03 GMT) Full text and rfc822 format available.

Message #13 received at 18526-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 18526-done <at> debbugs.gnu.org
Subject: Re: bug#18526: Failure to download from github due to TLS fatal alert
Date: Mon, 22 Sep 2014 21:19:54 +0200
Commit 077bd18 fixes it, using the ‘set-session-server-name!’ procedure
introduced in GnuTLS commit e9fc746:

  https://gitorious.org/gnutls/gnutls/commit/e9fc74641dae2747b98bc9f79afc041805819339

It should be in the next GnuTLS release.

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#18526; Package guix. (Mon, 13 Oct 2014 21:36:01 GMT) Full text and rfc822 format available.

Message #16 received at 18526 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 18526 <at> debbugs.gnu.org
Subject: Re: bug#18526: Failure to download from github due to TLS fatal alert
Date: Mon, 13 Oct 2014 23:35:35 +0200
Commit 3de9a59 pushed an update to GnuTLS 3.2.19, which brings the new
‘set-server-name!’ procedure.

Ludo’.




Merged 18524 18526. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Sun, 02 Nov 2014 22:14:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 01 Dec 2014 12:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 9 years and 120 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.