Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handshake Error - Connection Verify Failed #32131

Open
jakobr-google opened this issue Feb 13, 2018 · 28 comments

Comments

@jakobr-google
Copy link
Contributor

commented Feb 13, 2018

From @anubhaavofficial on February 7, 2018 4:19

URL: https://pub.dartlang.org/flutter

When using Flutter Doctor command, I am getting the error (Look at the screenshot.). When I changed the Environment variables to

PUB_HOSTED_URL=https://pub.flutter-io.cn
FLUTTER_STORAGE_BASE_URL=https://storage.flutter-io.cn

then the 'pub' command is working fine and I am able to install flutter correctly.

I am in India, from last 2-3 Weeks this issue persists, and I am not able to install pub packages from default server.

Error: When using default server settings.

flutterdoctor

Success: When Using China Mirror

flutternewdoctor

Copied from original issue: dart-lang/pub-dev#966

@jakobr-google

This comment has been minimized.

Copy link
Contributor Author

commented Feb 13, 2018

Do you have a proxy or something in the way that might serve a self-signed certificate for pub.dartlang.org? Can you access https://pub.dartlang.org/ in a browser without warnings?

Could you post the output of running

openssl s_client -showcerts -servername pub.dartlang.org -connect pub.dartlang.org:443

?

@jakobr-google

This comment has been minimized.

Copy link
Contributor Author

commented Feb 13, 2018

From @anubhaavofficial on February 8, 2018 15:31

No, I do not have any proxy setup. Yes, I can access https://pub.dartlang.org/ without any warnings. I am attaching the screenshot of that.

image

OpenSSL Command Screenshots

image

image

@jakobr-google

This comment has been minimized.

Copy link
Contributor Author

commented Feb 13, 2018

For some reason, the trust store that both openssl and pub use doesn't have the GeoTrust Global CA in it, so they think it's a self-signed certificate. Chrome is happy with the certificate, so it must be using a different store.

The certificate chain is *.dartlang.org -> Google Internet Authority G2 -> GeoTrust Global CA.

So, something's gone wrong with the CA trust store on your machine, AFAICT. This doesn't look like an issue with the pub site itself, so I'm moving this bug over to the Dart SDK to see if they have a better idea of what might be wrong.

@jakobr-google

This comment has been minimized.

Copy link
Contributor Author

commented Feb 13, 2018

SDK gurus, do we use Windows' built-in trust store?

@zanderso

This comment has been minimized.

Copy link
Member

commented Feb 13, 2018

We do not use Windows' built-in trust store. We use a compiled-in bundle of root certs from here: https://github.com/dart-lang/root_certificates. It sounds like they need to be updated. Possibly related: #31948 and #32129 /cc @aam

@anubhaavofficial

This comment has been minimized.

Copy link

commented Feb 13, 2018

Temporary relief is when setting environment vars as:

PUB_HOSTED_URL=https://pub.flutter-io.cn
FLUTTER_STORAGE_BASE_URL=https://storage.flutter-io.cn

Flutter is working perfectly when using the above settings. But the permanent solution is required.

dart-bot pushed a commit that referenced this issue Feb 13, 2018

[infra] Update trusted root certs
related #32131

Change-Id: Icfa5322cbb88af625ce612f7b06fb6248bc3d330
Reviewed-on: https://dart-review.googlesource.com/40860
Reviewed-by: Siva Annamalai <asiva@google.com>
Commit-Queue: Zach Anderson <zra@google.com>
@goderbauer

This comment has been minimized.

Copy link
Contributor

commented Feb 27, 2018

FYI, a user on twitter is reporting that disabling his virus scanner fixed the error for him: https://twitter.com/morxs/status/968431592594063362

@anubhaavofficial

This comment has been minimized.

Copy link

commented Mar 1, 2018

@aboodh95

This comment has been minimized.

Copy link

commented Mar 2, 2018

Stopping the protection of Kaspersky worked for me and the issue is solved

@alexzimmer96

This comment has been minimized.

Copy link

commented Mar 2, 2018

I'm just running into this error when i wanted to try Flutter. My cert-chain also does not contain any CAs:

---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2695 bytes and written 286 bytes
Verification error: unable to get local issuer certificate
---

Using Windows 10, Version 1709

@AltairCA

This comment has been minimized.

Copy link

commented Mar 24, 2018

I Disabled Kaspersky temporory and then it worked

image

@alexzimmer96

This comment has been minimized.

Copy link

commented Apr 7, 2018

I tried it with disabled kaspersky too but it did not work.

@peenaphoenix

This comment has been minimized.

Copy link

commented Jul 10, 2018

I am behind the corporate proxy and there is a self signed certificate in the certificate chain.
Dart / Flutter PUB upgrade throws error "TLS error" and on verbosity found to be SELF_SIGNED certificate in the chain.

I have gone through all the comments and none fixed the issue. Can you please help in resolving the issue.

I have the CA cert file with me. As like we add the ca file in the npm, do we have any option to add the root ca ?

@peenaphoenix

This comment has been minimized.

Copy link

commented Jul 30, 2018

Any update to the problem mentioned above ?

I am behind the corporate proxy and there is a self signed certificate in the certificate chain.
Dart / Flutter PUB upgrade throws error "TLS error" and on verbosity found to be SELF_SIGNED certificate in the chain.

I have gone through all the comments and none fixed the issue. Can you please help in resolving the issue.

I have the CA cert file with me. As like we add the ca file in the npm, do we have any option to add the root ca ?

@philippmay3r

This comment has been minimized.

Copy link

commented Sep 8, 2018

I am using Kaspersky and i searched for some issues. I found two settings which helped me:

  • add "pub.dartlang.org" as exclusions in "Network settings"
  • choose at option Encrypted connections scanning to: Scan encrypted connections upon request from protection components

image

@BerndWessels

This comment has been minimized.

Copy link

commented Sep 30, 2018

@peenaphoenix I think I have exactly the same situation now, our company just put some cisco magic into our network and it seems to mess with https certs (man in the middle monitoring maybe).
Is there any way to use pub just with http or at least get a workaround for the https errors?

@robertpro

This comment has been minimized.

Copy link

commented Oct 8, 2018

Is there a way to simply ignore the certificate ?

@larelb

This comment has been minimized.

Copy link

commented Oct 30, 2018

@peenaphoenix @BerndWessels @robertpro - I am in the same boat. Have any of you guys found a solution to add in a cert?

@robertpro

This comment has been minimized.

@larelb

This comment has been minimized.

Copy link

commented Oct 30, 2018

@robertpro Thanks. I'm wondering if there is a way to do it with pub just to download the dependencies that Flutter needs such as with NPM, Composer, or any other build tool that requires SSL verification.

@larelb

This comment has been minimized.

Copy link

commented Nov 20, 2018

@peenaphoenix Did you ever figure it out?

@katatema

This comment has been minimized.

Copy link

commented Dec 7, 2018

Now.
The certificate chain is *.dartlang.org -> Zscaler Intermediated Root CA -> Zscaler Root CA.
if you use https://github.com/dart-lang/root_certificates then why don’t include Zscaler CA?

@jonasfj

This comment has been minimized.

Copy link
Contributor

commented Apr 2, 2019

The certificate chain is *.dartlang.org -> Zscaler Intermediated Root CA -> Zscaler Root CA.

From where I'm sitting this is not the certificate chain I'm seeing, you're likely behind a proxy product that is man-in-the-middle-monitoring your HTTPS connections. You'll likely need to figure out how to add the CA to the trust store used by Dart.

@katatema

This comment has been minimized.

Copy link

commented Apr 2, 2019

i understand.
exactly i've used proxy server.
the certificate send by proxy.

@pawangjain

This comment has been minimized.

Copy link

commented Apr 3, 2019

Hello

Where is the Dart's/Flutter's truststore file located in Windows?

Is it possible to add the certificate to the flutter's truststore like it is done for Java's truststore (cacerts) using the keytool command or is there some other command?

How to add a certificate PEM/CRT file to the trust store used by Flutter/Dart?

Thanks.

@a-siva

This comment has been minimized.

Copy link
Contributor

commented May 25, 2019

Is this still a 'p1-high' that usually means 'Planned for the in-progress release',

@nwildner

This comment has been minimized.

Copy link

commented Jun 24, 2019

And just to add more information to this issue: If you are managing any NextGen firewall(Checkpoint, FortiGate, Palo Alto, Sophos...) at your company like me, you will face this issue if you have SSL Inspection enabled. That is also why this problem happens with some home antiviruses, cause they have this feature enabled.

It comes down to the point where creating SSL Inspection exceptions to "pub.dartlang.org" and "pub.dev" (god, why so many redirects) will not be enough since, it will at the end try to use "storage.googleapis.com" as the download URL for dart packages, and i will not create an exception for such broad domain/URL.

@jonasfj jonasfj added area-library and removed area-vm labels Jun 24, 2019

@jonasfj

This comment has been minimized.

Copy link
Contributor

commented Jun 24, 2019

/CC @sortie

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.