TlsException on Windows #234
Comments
|
To whom it may concern, the |
|
For what it's worth, I'm running Windows 8 64-bit and I'm not getting any errors. |
|
I believe I've seen this issue elsewhere for the tls package and windows before. Let me see if I can find it. |
|
@snoyberg We had this exception with fpco-api in the past; do you remember anything from that can be helpful here? |
|
@wismill Can you follow the TLS debugging instructions at: https://github.com/vincenthz/hs-tls#common-issues Also, can you test out from a regular command prompt instead of powershell? I don't think that's important, but it's good to rule out other factors. |
|
I am testing now with Windows 8 64 bits (as admin): same error. |
|
I can't tell without more of the output from your process, can you copy in everything from calling |
|
I got only this single line as output. Adding option |
|
It's probably failing when trying to download the snapshot info, can you try with the URL: |
|
(Back with Windows 7) I tried I finally tried I tried these commands at home (win 8) and at work (win 7) with the same result. |
|
The arguments are supposed to be the host, not the full URL
For example, I was able to run: Though you'll likely want to leave off the |
|
Ok. So running Running I have to say, being new to Haskell I find the language really promising but the tooling lacks professional quality. |
|
@wismill Thanks to folks like you who work with us on these issues, we aim to change that sentiment soon! |
|
@wismill In Haskell's defense, Windows is its toughest spot. |
|
@vincenthz Any thoughts on the error message above? @wismill This may be a legitimate failure on the tls packages part. It's possible that your system isn't recognizing the SSL certificate used by stackage.org for some reason. |
|
Thanks to @snoyberg's comment:
I have investigate a bit the question. The "lock" icon confirm the SSL certificate works in Firefox for https://www.stackage.org. But, hey, it's Windows: I have some intuition Internet Explorer should not left apart. I was right: certificate recognized and now the previous commands work: This is a trail, but it does not solve the issue if one want @3noch : I know Windows has a lot of drawbacks, but being imposed at my work, I do not have much choice. Please keep working on this platform: the recent survey on the Haskellers shows it is important! And I think the ARM architecture too. But this is another story. |
|
We're kind of caught in a pickle on this one. We can turn off certificate checking and avoid this problem, but that will make stack very insecure. We don't want to go down that route (a problem which plagues other tools in the ecosystem). Also, this doesn't seem to be a universal problem, as many Windows users have no problem here. One possible mitigation here would be: default the specific call that failed (downloading the most recent snapshots) to non-SSL, or have it fall back to non-SSL, given that an attacker can't compromise the system by telling you something invalid here (you'll still be downloading the snapshots themselves over a secure connection). Another option is to move the snapshots.json off of stackage.org and put it on Github or S3, or to try and use a more universally supported CA (though I haven't really had any other problems). Any thoughts on these ideas? And again, thank you @wismill for working through this with us. |
|
There's couple of solution:
Obviously I would advise against disabling security, that's just a bad idea compare to a simple pinning mechanism and through a little config file, this let the users with no/bad CAs have a somewhat secure transport. |
|
I think disabling security is not a conceivable option. At least not without imposing explicit command line option. The developers of Pip, the package manager of Python, seem to have the same issue and it seems solved in the Python's standard library or with a dedicated package. Could it help? |
|
@wismill I'm in the same boat you are: Windows. So all we can do is plug away at these issues and hope for a brighter tomorrow. Thanks for your help. |
|
I've pushed a commit to hopefully make the error message far more helpful in this situation. @wismill if you are still able to reproduce the original problem, would you be able to take a try with the newest master? |
|
@snoyberg I would like to try your commit: I have cloned this repo, created a cabal sandbox and tried to install the dependencies. But I am facing this issue: haskell/cabal#2502. You see what I mean about insufficient tooling support, especially on Windows :-| And Cabal is a serious one (currently 582 issues!). I think I will just wait now the next version of minGHC with the new GHC 7.10.2, hopping it includes also the patch for cabal. All these issues at the same time, it is just too frustrating. But I will continue the testing soon, and ghci is all I need now to learn Haskell. |
|
I'm planning on cutting another beta release this Sunday, which will include another Windows executable. That may be an easier way to get this tested. Thanks again for the perseverance! |
|
@wismill GHC 7.10 is brand spanking new. If you were using GHC 7.8.4 you would get a very different feel. |
|
There's a new build of stack (0.0.2) that has the changes I mentioned above in place. @wismill can you give it a shot? |
|
I'm going to close this. If errors like this still occur with new versions, please reopen. |
|
It is working fine now. |
|
Not sure if it's relevant, but I'm experiencing this on Windows 10 preview 64-bit with the stack-0.0.3 binary. This is on a fresh install. |
|
I'll open up a new issue about this, so that the stackage cron job generates a JSON file and puts it on S3 somewhere. I'm presuming the S3 downloads don't have certificate issues? |
|
Hit the bug on fresh Windows 7 x86 installed to VirtualBox. |
|
Installation of all Windows updates fixed the problem. |
|
@NCrashed Great info. Thanks. @snoyberg What do you think of making that error message a little less frightening? |
|
I'm in favor of such a change, but I don't think that the problem was On Sat, Jul 25, 2015, 10:31 AM Elliot Cameron notifications@github.com
|
|
Either build plan downloading, either ghc installation through |
|
Oh, I found an easy fix for the problem. You need to visit https://github.com at least once on the new machine. IE downloads certificate, verifies it and then you are able to use |
|
I confirm the problem with stack 0.1.4.0 on Window 7. |
|
Would it be possible to put this information as a question and answer on On Fri, Sep 18, 2015 at 4:09 PM, dominique-unruh notifications@github.com
|
|
I've added it on Stack Overflow: http://stackoverflow.com/questions/32654493/stack-haskell-throws-tlsexception-in-windows/32654494#32654494 It would help if the next version of stack would catch the TLS Error and output the URL it failed to access? That would make it already a bit easier to fix. (And, if more users confirm that the hack of opening IE helps, the error message could explicitly say: "Open the following page in IE: https://blabla".) |
|
That's a great idea, can you open a new issue so that it doesn't get lost? On Fri, Sep 18, 2015, 5:29 PM dominique-unruh notifications@github.com
|
|
I got this problem with latest stack on FreeBSD. Symptoms are same: |
|
Please report that issue to the tls package following its debugging On Fri, Oct 2, 2015, 11:24 PM arrowdodger notifications@github.com wrote:
|
The stack tool could not download the root.json file from hackage. It failed with a TLS exception caused by a missing CA for the server certificate. It seems that opening a web page with Internet Explorer or with powershell causes the certificates to be updated. See commercialhaskell/stack#234
The stack tool could not download the root.json file from hackage. It failed with a TLS exception caused by a missing CA for the server certificate. It seems that opening a web page with Internet Explorer or with powershell causes the certificates to be updated. See commercialhaskell/stack#234
The stack tool could not download the root.json file from hackage. It failed with a TLS exception caused by a missing CA for the server certificate. It seems that opening a web page with Internet Explorer or with powershell causes the certificates to be updated. See commercialhaskell/stack#234
* Add rules_haskell module version 0.17 * Add patch fixing stack_snapshot extension usage * Add patch to remove obsolete aliases referring to nixpkgs core module * Build only //tools/... and //haskell/... * Set BAZEL_USE_CPP_ONLY_TOOLCHAIN * Install libtinfo5 and libgmp-dev on Debian / Ubuntu * Only build / test //test/... from test module * Enforce system certificates updates on Windows The stack tool could not download the root.json file from hackage. It failed with a TLS exception caused by a missing CA for the server certificate. It seems that opening a web page with Internet Explorer or with powershell causes the certificates to be updated. See commercialhaskell/stack#234 * Enable cc toolchain resolution * Add patch for windows Register the cc toolchain that comes with the GHC bindist. * Remove bcr_test_module for now Our test module depends on rules_nixpkgs' modules which are not available yet. * Set BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 on Windows * Skip Windows on CI It is currently failing with: ``` this rule is missing dependency declarations for the following files included by 'gzwrite.c': 'C:/b/f3c3gu33/execroot/_main/external/rules_haskell~0.17~haskell_toolchains~rules_haskell_ghc_windows_amd64/mingw/x86_64-w64-mingw32/include/stdio.h' 'C:/b/f3c3gu33/execroot/_main/external/rules_haskell~0.17~haskell_toolchains~rules_haskell_ghc_windows_amd64/mingw/x86_64-w64-mingw32/include/corecrt_stdio_config.h' 'C:/b/f3c3gu33/execroot/_main/external/rules_haskell~0.17~haskell_toolchains~rules_haskell_ghc_windows_amd64/mingw/x86_64-w64-mingw32/include/corecrt.h' ... ```
Hi, I tried
stackon Windows 7 64 bits and I got the following error:TlsException (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))).To reproduce this:
cabal init(assuming cabal is already installed).stack buildEdit 1: I am using minghc 7.10.1 64 bits.
The text was updated successfully, but these errors were encountered: