Handshake Error - Connection Verify Failed

[jakobr-google]

From @anubhaavofficial on February 7, 2018 4:19

URL: https://pub.dartlang.org/flutter

When using Flutter Doctor command, I am getting the error (Look at the screenshot.). When I changed the Environment variables to

PUB_HOSTED_URL=https://pub.flutter-io.cn
FLUTTER_STORAGE_BASE_URL=https://storage.flutter-io.cn

then the 'pub' command is working fine and I am able to install flutter correctly.

I am in India, from last 2-3 Weeks this issue persists, and I am not able to install pub packages from default server.

Error: When using default server settings.

Success: When Using China Mirror

Copied from original issue: dart-lang/pub-dev#966

[jakobr-google]

Do you have a proxy or something in the way that might serve a self-signed certificate for pub.dartlang.org? Can you access https://pub.dartlang.org/ in a browser without warnings?

Could you post the output of running

openssl s_client -showcerts -servername pub.dartlang.org -connect pub.dartlang.org:443

?

[jakobr-google]

From @anubhaavofficial on February 8, 2018 15:31

No, I do not have any proxy setup. Yes, I can access https://pub.dartlang.org/ without any warnings. I am attaching the screenshot of that.

OpenSSL Command Screenshots

[jakobr-google]

For some reason, the trust store that both openssl and pub use doesn't have the GeoTrust Global CA in it, so they think it's a self-signed certificate. Chrome is happy with the certificate, so it must be using a different store.

The certificate chain is *.dartlang.org -> Google Internet Authority G2 -> GeoTrust Global CA.

So, something's gone wrong with the CA trust store on your machine, AFAICT. This doesn't look like an issue with the pub site itself, so I'm moving this bug over to the Dart SDK to see if they have a better idea of what might be wrong.

[jakobr-google]

SDK gurus, do we use Windows' built-in trust store?

[zanderso]

We do not use Windows' built-in trust store. We use a compiled-in bundle of root certs from here: https://github.com/dart-lang/root_certificates. It sounds like they need to be updated. Possibly related: #31948 and #32129 /cc @aam

[anubhaavspark]

Temporary relief is when setting environment vars as:

PUB_HOSTED_URL=https://pub.flutter-io.cn
FLUTTER_STORAGE_BASE_URL=https://storage.flutter-io.cn

Flutter is working perfectly when using the above settings. But the permanent solution is required.

[goderbauer]

FYI, a user on twitter is reporting that disabling his virus scanner fixed the error for him: https://twitter.com/morxs/status/968431592594063362

[anubhaavspark]

I have tried this method along ago. This is not working, I have Kaspersky installed, I tried many times.

…

On Wed, Feb 28, 2018 at 12:53 AM, Michael Goderbauer < ***@***.***> wrote: FYI, a user on twitter is reporting that disabling his virus scanner fixed the error for him: https://twitter.com/morxs/status/968431592594063362 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#32131 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AiilL8RsqvTkaNDKWuZ-JSDOHk1tG4lxks5tZFYagaJpZM4SDCrQ> .

[aboodh95]

Stopping the protection of Kaspersky worked for me and the issue is solved

[alexzimmer96]

I'm just running into this error when i wanted to try Flutter. My cert-chain also does not contain any CAs:

---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2695 bytes and written 286 bytes
Verification error: unable to get local issuer certificate
---

Using Windows 10, Version 1709

[AltairCA]

I Disabled Kaspersky temporory and then it worked

[alexzimmer96]

I tried it with disabled kaspersky too but it did not work.

[peenaphoenix]

I am behind the corporate proxy and there is a self signed certificate in the certificate chain.
Dart / Flutter PUB upgrade throws error "TLS error" and on verbosity found to be SELF_SIGNED certificate in the chain.

I have gone through all the comments and none fixed the issue. Can you please help in resolving the issue.

I have the CA cert file with me. As like we add the ca file in the npm, do we have any option to add the root ca ?

[peenaphoenix]

Any update to the problem mentioned above ?

I am behind the corporate proxy and there is a self signed certificate in the certificate chain.
Dart / Flutter PUB upgrade throws error "TLS error" and on verbosity found to be SELF_SIGNED certificate in the chain.

I have gone through all the comments and none fixed the issue. Can you please help in resolving the issue.

I have the CA cert file with me. As like we add the ca file in the npm, do we have any option to add the root ca ?

[philippmay3r]

I am using Kaspersky and i searched for some issues. I found two settings which helped me:

• add "pub.dartlang.org" as exclusions in "Network settings"
• choose at option Encrypted connections scanning to: Scan encrypted connections upon request from protection components

[BerndWessels]

@peenaphoenix I think I have exactly the same situation now, our company just put some cisco magic into our network and it seems to mess with https certs (man in the middle monitoring maybe).
Is there any way to use pub just with http or at least get a workaround for the https errors?

[robertpro]

Is there a way to simply ignore the certificate ?

[larelb]

@peenaphoenix @BerndWessels @robertpro - I am in the same boat. Have any of you guys found a solution to add in a cert?

[robertpro]

@larelb check this reddit, i havent tried for lack of time, https://www.reddit.com/r/dartlang/comments/93zd55/quick_tip_how_to_make_http_requests_dart/?utm_source=reddit-android

[larelb]

@robertpro Thanks. I'm wondering if there is a way to do it with pub just to download the dependencies that Flutter needs such as with NPM, Composer, or any other build tool that requires SSL verification.

[pawangjain]

Hello

Where is the Dart's/Flutter's truststore file located in Windows?

Is it possible to add the certificate to the flutter's truststore like it is done for Java's truststore (cacerts) using the keytool command or is there some other command?

How to add a certificate PEM/CRT file to the trust store used by Flutter/Dart?

Thanks.

[a-siva]

Is this still a 'p1-high' that usually means 'Planned for the in-progress release',

[nwildner]

And just to add more information to this issue: If you are managing any NextGen firewall(Checkpoint, FortiGate, Palo Alto, Sophos...) at your company like me, you will face this issue if you have SSL Inspection enabled. That is also why this problem happens with some home antiviruses, cause they have this feature enabled.

It comes down to the point where creating SSL Inspection exceptions to "pub.dartlang.org" and "pub.dev" (god, why so many redirects) will not be enough since, it will at the end try to use "storage.googleapis.com" as the download URL for dart packages, and i will not create an exception for such broad domain/URL.

[jonasfj]

/CC @sortie

[mlazzarotto]

Hello

Where is the Dart's/Flutter's truststore file located in Windows?

Is it possible to add the certificate to the flutter's truststore like it is done for Java's truststore (cacerts) using the keytool command or is there some other command?

How to add a certificate PEM/CRT file to the trust store used by Flutter/Dart?

Thanks.

@jonasfj
I am also looking for a solution. Where's the keystore, and can I add our self-signed cert to the flutter's store?

[zanderso]

On Windows, the default trusted root certs are baked into the command line Dart VM. The fix here is likely to modify the command line Dart VM to use the Windows system keystore instead.

(The command line Dart VM does accept arguments --root-certs-file and --root-certs-cache to override the default, but since the problematic invocations in this issue are internal to flutter_tool, passing them would require modifying the flutter_tool source.)

[Abhilash-Chandran]

@zanderso & @mlazzarotto Based on this comment from @larelb in this issue setting the environment variable DART_VM_OPTIONS solved the issue with the HadnshakeError in my case.

This is what I did.

1. First export the certificate using a broswer(Chrome in my case) and save it a local path e.g. desktop.
   • This usually would be with a .cer extension.
2. Then using openssl convert the .cer file into .pem file.
   • Using the command as shown here.
3. Create an environment variable DART_VM_OPTIONS and set its value to --root-certs-file=<path_to_pem_file>
4. Then running flutter packages get resolves the URL and initiates a correct connection.

However further version resolving fails for which I will try to open a new issue with some more details.

[micsanbr]

I used to get the same issue at work -- I am behind a proxy that replaces some SSL certificates (but not all certificates) with its own self-signed certificates,

This is my workaround that has worked so far.

DISCLAIMER: USE AT YOUR OWN RISK
If you don't know how the following stuff works, then please ask the IT guys to help you with this.
I don't take responsibility if you break your stuff.

• Open Control Panel > System > Advanced system settings > Advanced > Environment variables

Create the SYSTEM environment variable JAVA_HOME with a value of
C:\Program Files\Java\jre8
Please make sure that this path matches the version of JAVA installed on your system.

Add the following to the PATH environment variable

%FLUTTER_ROOT%\bin
%FLUTTER_ROOT%\.pub-cache\bin
%JAVA_HOME%\bin

• Get the intermediate and root certificates from your organization.

This picture found in google shows the certificate window in Chrome
https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/8026086487/original/GIGDSVjjfl2OfD-Zt389RTM-K55bvjJtsw.png?1509568821
Our proxy is sometimes replacing the certificate with another certificate with different root and intermediate certificates.
By default our browsers are already configured to trust these certificates but other applications (such as Android Studio, Flutter, Unity) think that there's a network misconfiguration.

The intermediate and root certificates for your organization could be exported from a keystore (for example Java or Firefox) where they have been already added by your IT team (for example your company's default browser).
Our company also has an intranet website where the files are available for download in PEM format as well.

• Create the folder "Dev_Certificates" in "C:\ProgramData"

• Copy the downloaded certificates to "C:\ProgramData\Dev_Certificates"

• Copy the "cacerts" file from "C:\Program Files\Java\jre8\lib\security" to "C:\ProgramData\Dev_Certificates"

• Open the Command Prompt as Administrator and add the certificates to "C:\ProgramData\Dev_Certificates\cacerts" using the following

keytool -import -alias CA-ALIAS-NAME-1 -file "C:\ProgramData\Dev_Certificates\YOUR-CA-CERTIFICATE-1.crt" -keystore C:\ProgramData\Dev_Certificates\cacerts -storepass changeit
keytool -import -alias CA-ALIAS-NAME-2 -file "C:\ProgramData\Dev_Certificates\YOUR-CA-CERTIFICATE-2.crt" -keystore C:\ProgramData\Dev_Certificates\cacerts -storepass changeit

and so on .... this must be repeated for the various certificates to add to the keystore copy.

Any errors reporting that the certificate already exists can be safely ignored at this point.

• Create an empty text file called "export-PEM-from-cacerts.bat" in "C:\ProgramData\Dev_Certificates"

@echo off
> cacerts.pem (
	for /f "tokens=1 delims=," %%G in ('keytool -list -keystore cacerts -storepass changeit ^| findstr "trustedCertEntry"') do (
		keytool -exportcert -keystore cacerts -alias "%%G" -storepass changeit -rfc
	)
)

• Run "export-PEM-from-cacerts.bat" and wait for it to finish.
  After a minute or so, it should generate a file called "cacerts.pem".
  This file contains all the certificates in PEM format.
  In my case this file contains 99 certificates.

• Open Control Panel > System > Advanced system settings > Advanced > Environment variables

Create the following USER environment variable DART_VM_OPTIONS with a value of
--root-certs-file=C:/ProgramData/_Dev_Certificates/cacerts.pem

On top of this, I've also configured the USER environment variables HTTP_PROXY and HTTPS_PROXY with authentication and configured the gradle.properties used by Android Studio to use the modified keystore and the proxy http/https (not sure if this last one is required for flutter).

Update: I just noticed that the certs-file must be encoded in UTF-8, otherwise it won't work.

[bkonyi]

@zichangg since you've been doing a lot of work with dart:io and Windows, do you think you'd be willing to take a swing at this issue?

[vsmenon]

Is this still an open issue? Are folks using the workaround above?

[zichangg]

Two fixes are landed. One updates the trusted root certificates and the other enable VM to use Windows default root store.

[sliechti]

Two fixes are landed. One updates the trusted root certificates and the other enable VM to use Windows default root store.

@zichangg How can I enable dart to use the default root store in windows?

"I did a flutter upgrade and flutter pub get stopped working, had to go back to flutter_windows_1.22.3-stable without upgrade"

I tried with DART_VM_OPTIONS and it seems the argument is being ignored. If I pass the argument as command line, it works.

main .dart is a simple test script using io:dart without SecurityContext.

var request = await client.getUrl(Uri.parse("https://www.google.com/"));

bin\dart.exe --version Dart SDK version: 2.12.0-13.0.dev (dev) (Mon Nov 2 15:57:37 2020 -0800) on "windows_x64"

works:
bin\dart.exe --root-certs-file=c:\dev\certs\cacerts.pem main.dart

fails:
I tried with forward, backward slashes (escaping them \\), nothing.

set DART_VM_OPTIONS=--root-certs-file-=c:\dev\certs\cacerts.pem

bin\dart.exe main.dart
Unhandled exception:
HandshakeException: Handshake error in client (OS Error:
        CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(../../third_party/boringssl/src/ssl/handshake.cc:354))

[aam]

@sliechti asked

How can I enable dart to use the default root store in windows?

With https://dart-review.googlesource.com/c/sdk/+/159202 dart vm always tries to Windows default root store, so no additional setup is needed.

I tried with DART_VM_OPTIONS and it seems the argument is being ignored.

dart binary itself doesn't use DART_VM_OPTIONS environment variable - it only accepts options specified on the command line.
DART_VM_OPTIONS is used and recognized by few command line shell scripts from dart-sdk/bin like gen_kernel, dart2js, dartanalyzer, dartdevc, pub. Those scripts essentially feed contents of this DART_VM_OPTIONS to dart binary via command line.

[sliechti]

dart binary itself doesn't use DART_VM_OPTIONS environment variable - it only accepts options specified on the command line.

@aam thank you! that makes sense. The link to the gerrit patch is very insightful too.

How can I get dart.exe to print this:

  if (SSL_LOG_STATUS) {
    Syslog::Print("Trusting Windows built-in roots\n");
  }

I tested with "Dart SDK version: 2.12.0-13.0.dev (dev) (Mon Nov 2 15:57:37 2020 -0800) on "windows_x64"" and adding the private certificates to my windows trusted root CA store with "certlm.msc" -> trusted root certificate authorities -> certificates but it still fails.

[aam]

@sliechti wrote

How can I get dart.exe to print this:

You have to rebuild dart.exe after changing https://github.com/dart-lang/sdk/blob/master/runtime/bin/secure_socket_utils.h#L22 from false to true. See https://github.com/dart-lang/sdk/wiki/Building for instructions on how to get dart-sdl source and build it on Windows.
If you ping me at aam@google.com I can share such a binary I just built.

[aam]

adding the private certificates to my windows trusted root CA store with "certlm.msc"

Also note https://github.com/dart-lang/sdk/blob/master/runtime/bin/security_context_win.cc#L46 which suggests that "Local Computer" root certificates are not checked, only "Current User". So I would try adding them with "certmgr.msc"

[sliechti]

So I would try adding them with "certmgr.msc"

@aam that did the trick, it works now. Thanks!

[Paul74]

Same problem here. Any "easy" solution or still applies micsan13br reply solution?

[Muhammad-Ullah]

@sliechti I am a beginner and I am getting the following error while getting dependencies:
Handshake error in client (OS Error:
CERTIFICATE_VERIFY_FAILED: Hostname mismatch(../../third_party/boringssl/src/ssl/handshake.cc:359))

Any solution. Thanks in advance