HTTPS remotes failing on MacOS via TLS 1.0 / 1.1

[nfultz]

On our travis CI, we push to a drat repo on github - we seem to be getting the following error message now:

  m <- tempfile()
  url <- "https://github.com/DeclareDesign/declaredesign.github.io.git"
  repo <- git2r::clone(url, m)

Updating drat via travis
Loading required namespace: git2r
Loading required namespace: drat
cloning into '/var/folders/bb/n7t3rs157850byt_jfdcq9k80000gn/T//RtmptwKeZs/file1a471d997a3f'...
Error in git2r::clone(url, m) : 
  Error in 'git2r_clone': SSL error: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Calls: <Anonymous> ... x -> <Anonymous> -> <Anonymous> -> <Anonymous> -> .Call
Execution halted

from here https://travis-ci.org/DeclareDesign/estimatr/jobs/345799903

GitHub recently changed their encryption, which is probably related - https://blog.github.com/2018-02-23-weak-cryptographic-standards-removed/

[nfultz]

Also this seems to only effect Mac builds.

[nfultz]

This also appears to affect http://github.com/eddelbuettel/drat and http://github.com/r-lib/devtools

[nfultz]

This is what github support wrote to me:

Hey Neal,

> git2r uses libgit2 - it's working on windows and linux, but not on mac. Is
there something about Macs that would be different?

Thanks for clarifying that! Do you know what version of libgit2 is being used? They did release some new versions to handle TLSv1.2, though the release notes specifically mention that was for Windows:


https://github.com/libgit2/libgit2/releases

If this is only happening on a Mac, you may need to make sure that the version of libgit2 that's being used is modern enough to be built against the latest versions of OpenSSL and libssh2. We've had some users using libgit2 have luck by compiling with the latest version of libssh2.

Though, I imagine that would mainly help with SSH connections and your error is specifically about HTTPS connections. In which case, usually just updating Git does the trick on Mac. So if you're able to compile git2r locally with an updated version of libgit2, you might have luck getting this working without the project officially updating.

I know this is getting a bit complicated with cascading builds, but I hope this at least points you or the git2r team in the right direction!

Best,
Shawna

[stewid]

Does it work if you build git2r against the latest versions of OpenSSL and libssh2?

[nfultz]

Bryce (@amoeba) rebuilt from master and had git2r::clone work - here is his sessionInfo() -

```> devtools::session_info()
Session info ------------------------------------------------------------------
 setting  value
 version  R version 3.4.3 (2017-11-30)
 system   x86_64, darwin15.6.0
 ui       X11
 language (EN)
 collate  en_US.UTF-8
 tz       America/Juneau
 date     2018-03-07

Packages ----------------------------------------------------------------------
 package   * version     date       source
 base      * 3.4.3       2017-12-07 local
 compiler    3.4.3       2017-12-07 local
 datasets  * 3.4.3       2017-12-07 local
 devtools    1.13.5      2018-02-18 CRAN (R 3.4.3)
 digest      0.6.15      2018-01-28 CRAN (R 3.4.3)
 git2r       0.21.0.9002 2018-03-07 Github (ropensci/git2r@0e3e284)
 graphics  * 3.4.3       2017-12-07 local
 grDevices * 3.4.3       2017-12-07 local
 memoise     1.1.0       2018-02-08 Github (hadley/memoise@611cfad)
 methods   * 3.4.3       2017-12-07 local
 remotes     1.1.1       2017-12-20 CRAN (R 3.4.3)
 stats     * 3.4.3       2017-12-07 local
 tools       3.4.3       2017-12-07 local
 utils     * 3.4.3       2017-12-07 local
 withr       2.1.1       2017-12-19 CRAN (R 3.4.3)
>``````  

[nfultz]

He has:

`openssl: stable 1.0.2n (bottled) [keg-only]`
`libssh2: stable 1.8.0 (bottled), HEAD`

installed.

[nfultz]

Adding

    r_github_packages:
    - ropensci/git2r

to our travis config seems to make it work. Any chance of getting that version on CRAN reasonably soon?

[jeroen]

@nfultz that won't fix it. The difference is that when git2r is installed from source on travis it links against homebrew openssl/libssh2. However the git2r cran binary package is linked against macos legacy openssl 0.9.8

> system2("otool", c("-L", system.file('libs/git2r.so', package = 'git2r')))
/Library/Frameworks/R.framework/Versions/3.4/Resources/library/git2r/libs/git2r.so:
	git2r.so (compatibility version 0.0.0, current version 0.0.0)
	/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
	/usr/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 8.0.0)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
	/Library/Frameworks/R.framework/Versions/3.4/Resources/lib/libR.dylib (compatibility version 3.4.0, current version 3.4.3)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1259.11.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)

[stewid]

I have changed the build configuration script to set the libgit2 definition -DGIT_SECURE_TRANSPORT=1 on macOS to use the Security and CoreFoundation framework for https backend (https://github.com/libgit2/libgit2/blob/master/src/CMakeLists.txt#L136)

Does it work to clone after that change?

[jeroen]

@stewid great that's a much better solution!

[jennybc]

In the name of making problem & resolution more discoverable, this issue is really about git clone via HTTPS on macOS, right? I'm sure it would also affect git push, but AFAICT the original problem is a clone of a public repo.

There's a lot going on in the git/git2r space and this might help people isolate different issues.

[nfultz]

It also only affects GitHub I think (haven't tried another host)

…

On Fri, Mar 9, 2018, 10:47 AM Jennifer (Jenny) Bryan < ***@***.***> wrote: In the name of making problem & resolution more discoverable, this issue is really about git clone via HTTPS on macOS, right? I'm sure it would also affect git push, but AFAICT the original problem is a clone of a public repo. There's a lot going on in the git/git2r space and this might help people isolate different issues. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#331 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAZjTmPzDhQxZI98OVfGopx8fNK8UuL3ks5tcs43gaJpZM4Sc2cL> .

[jimhester]

FWIW this also breaks git2r::remote_ls() against GitHub repositories, which is used by devtools.

e.g. git2r::remote_ls("https://github.com/r-lib/devtools.git")

I have confirmed that installing devel git2r fixes this issue.

[jimhester]

Btw this issue effects the CRAN release of devtools pretty heavily on macOS, because it uses git2r::remote_ls() to retrieve the remote sha and determine if it needs to reinstall an existing package.

So getting a new version of git2r on CRAN with these changes sooner rather than later would be helpful!