GNU bug report logs - #18524
Guix unable to download from github due to TLS fatal alert

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: ludo <at> gnu.org (Ludovic Courtès)
Subject: bug#18524: closed (Re: bug#18524: Guix unable to download from
 github due to TLS fatal alert)
Date: Sun, 02 Nov 2014 22:13:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#18524: Guix unable to download from github due to TLS fatal alert

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 18524 <at> debbugs.gnu.org.

-- 
18524: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18524
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: ludo <at> gnu.org (Ludovic Courtès)
To: 18524-done <at> debbugs.gnu.org
Subject: Re: bug#18524: Guix unable to download from github due to TLS fatal
 alert
Date: Sun, 02 Nov 2014 23:12:41 +0100

Was fixed with the GnuTLS upgrade in
3de9a5936c09038d5eeb1fab6966f34f8ea30574.

Ludo’.

[Message part 3 (message/rfc822, inline)]

From: ludo <at> gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw <at> netris.org>
Cc: guix-devel <at> gnu.org
Subject: Re: Guix unable to download from github due to TLS fatal alert
Date: Wed, 13 Aug 2014 23:56:30 +0200

Mark H Weaver <mhw <at> netris.org> skribis:

> Here's what happens:
>
> $ guix download https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
> starting download of `guix-file.cszPnB' from `https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> following redirection to `https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum A TLS fatal alert has been received.> handshake)'.
> failed to download "guix-file.cszPnB" from "https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz"
> guix download: error: https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz: download failed

I see that as well.  However, other github.com URLs works:

--8<---------------cut here---------------start------------->8---
$ guix download https://github.com/flavio/qjson/archive/0.8.1.tar.gz
starting download of `guix-file.tL8gal' from `https://github.com/flavio/qjson/archive/0.8.1.tar.gz'...
following redirection to `https://codeload.github.com/flavio/qjson/tar.gz/0.8.1'...
https://codeload.github.com/.../0.8.1	100.0% of 71.6 KiB
/gnu/store/fqfm3zm9pzwgic9sz2x8hk8ykm9yhkqw-0.8.1.tar.gz
163fspi0xc705irv79qw861fmh68pjyla9vx3kqiq6xrdhb9834j

$ guix download https://github.com/maebert/jrnl/archive/1.8.4.tar.gz
starting download of `guix-file.oK809e' from `https://github.com/maebert/jrnl/archive/1.8.4.tar.gz'...
following redirection to `https://codeload.github.com/maebert/jrnl/tar.gz/1.8.4'...
https://codeload.github.com/.../1.8.4	100.0% of 162.4 KiB
/gnu/store/cb39bf5ljrglj72bxarcsws241qhw5a8-1.8.4.tar.gz
019ky09sj5i7frmca0imv4jm46mn3f4lzah2wmiwxh22cisj7ksn
--8<---------------cut here---------------end--------------->8---

With debugging enabled in build/download.scm, the relevant part is:

--8<---------------cut here---------------start------------->8---
gnutls: [699|3] HSK[0x104e530]: CLIENT HELLO was queued [249 bytes]
gnutls: [699|7] HWRITE: enqueued [CLIENT HELLO] 249. Total 249 bytes.
gnutls: [699|7] HWRITE FLUSH: 249 bytes in buffer.
gnutls: [699|4] REC[0x104e530]: Preparing Packet Handshake(22) with length: 249 and min pad: 0
gnutls: [699|9] ENC[0x104e530]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
gnutls: [699|7] WRITE: enqueued 254 bytes for 0xe. Total 254 bytes.
gnutls: [699|4] REC[0x104e530]: Sent Packet[1] Handshake(22) in epoch 0 and length: 254
gnutls: [699|7] HWRITE: wrote 1 bytes, 0 bytes left.
gnutls: [699|7] WRITE FLUSH: 254 bytes in buffer.
gnutls: [699|7] WRITE: wrote 254 bytes, 0 bytes left.
gnutls: [699|2] ASSERT: gnutls_buffers.c:1075
gnutls: [699|7] READ: Got 5 bytes from 0xe
gnutls: [699|7] READ: read 5 bytes from 0xe
gnutls: [699|7] RB: Have 0 bytes into buffer. Adding 5 bytes.
gnutls: [699|7] RB: Requested 5 bytes
gnutls: [699|4] REC[0x104e530]: SSL 3.3 Alert packet received. Epoch 0, length: 2
gnutls: [699|4] REC[0x104e530]: Expected Packet Handshake(22)
gnutls: [699|4] REC[0x104e530]: Received Packet Alert(21) with length: 2
gnutls: [699|7] READ: Got 2 bytes from 0xe
gnutls: [699|7] READ: read 2 bytes from 0xe
gnutls: [699|7] RB: Have 5 bytes into buffer. Adding 2 bytes.
gnutls: [699|7] RB: Requested 7 bytes
gnutls: [699|4] REC[0x104e530]: Decrypted Packet[0] Alert(21) with length: 2
gnutls: [699|4] REC[0x104e530]: Alert[2|40] - Handshake failed - was received
--8<---------------cut here---------------end--------------->8---

Wget can be made to fail similarly:

--8<---------------cut here---------------start------------->8---
$ wget --secure-protocol=SSLv3 -O /dev/null https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
--2014-08-13 23:48:53--  https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving github.com... 192.30.252.128
Connecting to github.com|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz [following]
--2014-08-13 23:48:54--  https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving cloud.github.com... 54.230.44.78, 54.230.44.145, 54.230.44.189, ...
Connecting to cloud.github.com|54.230.44.78|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Unable to establish SSL connection.
--8<---------------cut here---------------end--------------->8---

But its default --secure-protocol=auto just works, although its gnutls.c
just seems to use the default priorities like we do.

Further investigation needed...

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.