Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS handshake failure: protocol error #1494

Open
Jimmy-Z opened this issue Oct 20, 2019 · 2 comments
Open

SSL/TLS handshake failure: protocol error #1494

Jimmy-Z opened this issue Oct 20, 2019 · 2 comments

Comments

@Jimmy-Z
Copy link
Contributor

Jimmy-Z commented Oct 20, 2019

Example:

$ /opt/bin/aria2c https://us.download.nvidia.com/Windows/436.48/436.48-desktop-win10-64bit-international-whql.exe

10/20 15:15:02 [NOTICE] Downloading 1 item(s)
[#1023de 0B/0B CN:1 DL:0B]
10/20 15:15:03 [ERROR] CUID#7 - Download aborted. URI=https://us.download.nvidia.com/Windows/436.48/436.48-desktop-win10-64bit-international-whql.exe
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://us.download.nvidia.com/Windows/436.48/436.48-desktop-win10-64bit-international-whql.exe
  -> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: protocol error

10/20 15:15:03 [NOTICE] Download GID#1023dee0651c83ba not complete:

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
1023de|ERR |       0B/s|https://us.download.nvidia.com/Windows/436.48/436.48-desktop-win10-64bit-international-whql.exe

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

This is my own build:

$ /opt/bin/aria2c --version
aria2 version 1.35.0
Copyright (C) 2006, 2019 Tatsuhiro Tsujikawa

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

** Configuration **
Enabled Features: Async DNS, BitTorrent, Firefox3 Cookie, GZip, HTTPS, Message Digest, Metalink, XML-RPC, SFTP
Hash Algorithms: sha-1, sha-224, sha-256, sha-384, sha-512, md5, adler32
Libraries: zlib/1.2.11 libxml2/2.9.4 sqlite3/3.27.2 OpenSSL/1.1.1d c-ares/1.14.0 libssh2/1.8.0
Compiler: gcc 8.3.0
  built by  x86_64-pc-linux-gnu
  on        Oct  8 2019 15:26:06
System: Linux 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64

Report bugs to https://github.com/aria2/aria2/issues
Visit https://aria2.github.io/

The one ships with debian 10 works fine though:

$ aria2c https://us.download.nvidia.com/Windows/436.48/436.48-desktop-win10-64bit-international-whql.exe

10/20 15:15:51 [NOTICE] Downloading 1 item(s)

10/20 15:15:52 [NOTICE] CUID#7 - Redirecting to https://us.download.nvidia.cn/Windows/436.48/436.48-desktop-win10-64bit-international-whql.exe
[#dd3eb8 508MiB/570MiB(88%) CN:1 DL:74MiB]
10/20 15:16:00 [NOTICE] Download complete: /mnt/tmpfs/436.48-desktop-win10-64bit-international-whql.exe

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
dd3eb8|OK  |    72MiB/s|/mnt/tmpfs/436.48-desktop-win10-64bit-international-whql.exe

Status Legend:
(OK):download completed.

$ aria2c --version
aria2 version 1.34.0
Copyright (C) 2006, 2017 Tatsuhiro Tsujikawa

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

** Configuration **
Enabled Features: Async DNS, BitTorrent, Firefox3 Cookie, GZip, HTTPS, Message Digest, Metalink, XML-RPC, SFTP
Hash Algorithms: sha-1, sha-224, sha-256, sha-384, sha-512, md5, adler32
Libraries: zlib/1.2.8 expat/2.2.0 sqlite3/3.16.2 OpenSSL/1.1.0j c-ares/1.12.0 libssh2/1.7.0
Compiler: gcc 6.3.0 20170516
  built by  x86_64-pc-linux-gnu
  on        May  9 2019 16:46:47
System: Linux 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64

Report bugs to https://github.com/aria2/aria2/issues
Visit https://aria2.github.io/
@VaslD
Copy link

VaslD commented Dec 14, 2019

It’s likely network problem (GFW) when you try to download something on a worldwide website from mainland China.

I frequently interact with resources CDN’d by Cloudflare and AWS and I see similar logs almost everyday, from all sorts of data transfer software.

My advice: Either use an address you know is located in China, like the redirected CN address (nvidia.cn), right from the beginning (never nvidia.com); or set up your own retry magic to handle all kinds of weird behaviors (timeouts, handshake failures, intermittent disconnects with perfect return codes).

Maybe it’s indeed an issue with Aria 2. But in my experience, GFW doesn’t just block websites, it messes with network traffic here and there and causes all kinds of software glitches that are not exactly issues of software themselves.

@laggardkernel
Copy link

laggardkernel commented Nov 4, 2020
edited

Update: aria2c built with gnutls has no problem with my tests. But arai2 built with openssl has problem doing handshaking on some sites with TLS 1.3. Anyone familiar with the code could dig it deeper.

Same problem occurred on my macbook. aria2 built with openssl failed to do TLS handshake. https://example.test is a site with self-signed cert and supports TLS v1.3 only.

2020-11-04 10:20:13.296746 [INFO] [LibsslTLSContext.cc:295] Trusted CA certificates were successfully added.
2020-11-04 10:20:13.296820 [DEBUG] [RequestGroupMan.cc:591] 1 RequestGroup(s) added.
2020-11-04 10:20:13.296833 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:0, hup:0, err:0
2020-11-04 10:20:13.296866 [DEBUG] [FeedbackURISelector.cc:162] Selected from normCands
2020-11-04 10:20:13.296872 [DEBUG] [FeedbackURISelector.cc:84] FeedbackURISelector selected https://example.test
2020-11-04 10:20:13.296891 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:0, hup:0, err:0
2020-11-04 10:20:13.298242 [INFO] [AsyncNameResolverMan.cc:83] CUID#7 - Resolving hostname example.test
2020-11-04 10:20:13.298257 [INFO] [AbstractCommand.cc:817] CUID#7 - Name resolution complete: example.test -> 127.0.0.1
2020-11-04 10:20:13.298271 [INFO] [HttpInitiateConnectionCommand.cc:123] CUID#7 - Connecting to 127.0.0.1:443
2020-11-04 10:20:13.298453 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:1, hup:0, err:0
2020-11-04 10:20:13.298490 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:1, hup:0, err:0
2020-11-04 10:20:13.298503 [DEBUG] [SocketCore.cc:926] Creating TLS session
2020-11-04 10:20:13.298656 [DEBUG] [SocketCore.cc:946] TLS Handshaking
2020-11-04 10:20:13.299125 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:1, write:0, hup:0, err:0
2020-11-04 10:20:13.299212 [ERROR] [AbstractCommand.cc:351] CUID#7 - Download aborted. URI=https://example.test
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://example.test
  -> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: protocol error

11/04 10:20:13 [ERROR] CUID#7 - Download aborted. URI=https://example.test
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://example.test
  -> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: protocol error
2020-11-04 10:20:13.299239 [DEBUG] [AbstractCommand.cc:479] CUID#7 - Aborting download

❯ aria2c -v
aria2 version 1.35.0
Copyright (C) 2006, 2019 Tatsuhiro Tsujikawa

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

** Configuration **
Enabled Features: Async DNS, BitTorrent, Firefox3 Cookie, GZip, HTTPS, Message Digest, Metalink, XML-RPC, SFTP
Hash Algorithms: sha-1, sha-224, sha-256, sha-384, sha-512, md5, adler32
Libraries: zlib/1.2.11 expat/2.2.1 sqlite3/3.24.0 OpenSSL/1.1.1h c-ares/1.16.1 libssh2/1.9.0
Compiler: Apple LLVM 10.0.1 (clang-1001.0.46.4)
  built by  x86_64-apple-darwin18.7.0
  on        Nov  4 2020 10:17:50
System: Darwin 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64

Report bugs to https://github.com/aria2/aria2/issues
Visit https://aria2.github.io/

This is not a problem for aria2 built with gnutls. BTW, appletls has no support for TLS v1.3 yet, which is the reason I tried to build aria2 with openssl or gnutls.

@devgianlu devgianlu mentioned this issue Mar 11, 2021
Closed
laggardkernel added a commit to laggardkernel/homebrew-tap that referenced this issue Aug 16, 2021
@laggardkernel
fix(aria2): bypass bugs in gnutls integration
48daef7 
1. aria2/aria2#1636

  Aria2 built with gnutls failed to use the gnutls provided ca certs.
  Switch to the system one during compiling with `--with-ca-bundle`.

2. aria2/aria2#1494

  Aria2 built with opessl failed to handshake with some certs.
  During my test, it failed to handshake with my self-signed cert
  cause only one ecdh curve secp256r1 was provided. But aria2 built
  with gnutls provides other curves and handshake succeeds.
@laggardkernel laggardkernel mentioned this issue Oct 4, 2021
Open
@golfvert golfvert mentioned this issue Jun 2, 2023
Open
@msfjarvis msfjarvis mentioned this issue Jul 5, 2023
Merged
12 tasks
msfjarvis added a commit to msfjarvis/nixpkgs that referenced this issue Jul 6, 2023
@msfjarvis
aria2: build with GNUTLS instead of OpenSSL
29bd4a3 
aria2's OpenSSL integration breaks down when interacting with TLS v1.3
enabled websites which manifests in errors like these:

```
07/05 12:26:53 [NOTICE] Downloading 1 item(s)

07/05 12:26:54 [ERROR] CUID#7 - Download aborted. URI=https://catbox.moe
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://catbox.moe
  -> [SocketCore.cc:1018] errorCode=1 SSL/TLS handshake failure: protocol error
```

There are multiple instances[1] of users reporting this to the aria2 issue
tracker, and one of those issues[2] documents using GnuTLS in place of OpenSSL
as a workaround for the TLS v1.3 woes. I've verified that it indeed fixes
the problem, and hence making this change in Nixpkgs.

1: https://github.com/aria2/aria2/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+%22protocol+error%22
2: aria2/aria2#1494
github-actions bot pushed a commit to Mic92/nixpkgs that referenced this issue Jul 30, 2023
@msfjarvis @Mic92
aria2: build with GNUTLS instead of OpenSSL
0f7c49e 
aria2's OpenSSL integration breaks down when interacting with TLS v1.3
enabled websites which manifests in errors like these:

```
07/05 12:26:53 [NOTICE] Downloading 1 item(s)

07/05 12:26:54 [ERROR] CUID#7 - Download aborted. URI=https://catbox.moe
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://catbox.moe
  -> [SocketCore.cc:1018] errorCode=1 SSL/TLS handshake failure: protocol error
```

There are multiple instances[1] of users reporting this to the aria2 issue
tracker, and one of those issues[2] documents using GnuTLS in place of OpenSSL
as a workaround for the TLS v1.3 woes. I've verified that it indeed fixes
the problem, and hence making this change in Nixpkgs.

1: https://github.com/aria2/aria2/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+%22protocol+error%22
2: aria2/aria2#1494
@zhengqwe zhengqwe mentioned this issue Oct 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Jimmy-Z @VaslD @laggardkernel