-
-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependency crates-index with vendored-openssl feature fails with an SSL error #272
Comments
Should we make vendoring SSL an optional feature instead? Is that even
feasible? I haven't looked into it, just throwing an idea out there.
…On Sun, Jan 8, 2023, 12:12 PM Tomasz Nowak ***@***.***> wrote:
Steps to reproduce the bug with the above code
cargo semver-checks check-release
Actual Behaviour
Updating index
Error: SSL error: unknown error; class=Ssl (16)
Caused by:
SSL error: unknown error; class=Ssl (16)
Expected Behaviour
It should work.
Generated System Information Software version
cargo-semver-checks 0.12.1
Operating system
Linux 6.1.1-arch1-1
Command-line
/home/tonowak/.cargo/bin/cargo-semver-checks semver-checks --bugreport
cargo nightly version
> cargo +nightly -V
cargo 1.68.0-nightly (c994a4a63 2022-12-18)
Compile time information
- Profile: release
- Target triple: x86_64-unknown-linux-gnu
- Family: unix
- OS: linux
- Architecture: x86_64
- Pointer width: 64
- Endian: little
- CPU features: fxsr,llvm14-builtins-abi,sse,sse2
- Host: x86_64-unknown-linux-gnu
Additional Context
I've asked people and tried other machines and it seems to not work only
on my laptop.
The issues happens exactly here:
https://github.com/obi1kenobi/cargo-semver-checks/blob/f6b41f43cd8c70683e7fd901c34c76250baf3ef5/src/baseline.rs#L187
The tool works after removing vendored-openssl from the list of features.
Further inspection of the bug requires going into crates-index code and
debugging it there. I'll do that in some free time -- this issue is a
tracking issue for the bug.
—
Reply to this email directly, view it on GitHub
<#272>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAR5MSTMNJE3BHMF3W5332LWRLYOFANCNFSM6AAAAAATUVSZW4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Oh, that might be a good idea. From what I remember, vendored SSL is used, because there was some problem in the CI and using it was the easiest solution, right? |
Yes, when it isn't vendored then the system must provide an OpenSSL
installation of a supported version, and it must be discoverable. This
process was a bit finicky and it was simpler just to not deal with it.
We can make vendoring a default feature that can be disabled for cases
where the user is sure their system provides an OpenSSL library already.
…On Sun, Jan 8, 2023, 1:10 PM Tomasz Nowak ***@***.***> wrote:
Oh, that might be a good idea. From what I remember, vendored SSL is used,
because there was some problem in the CI and using it was the easiest
solution, right?
—
Reply to this email directly, view it on GitHub
<#272 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAR5MSR236WZEC6WDVWILWDWRL7IBANCNFSM6AAAAAATUVSZW4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
That won't fix the underlying problem and it won't prevent an user from encountering the same bug, but I'm happy with such a solution. |
Agreed. It's a reasonable workaround until we can find the root cause.
Especially if we can catch the error when it happens and suggest disabling
the feature + link to the tracking issue, so the user doesn't have to go
look at the readme to figure out what happened and what to do about it.
…On Sun, Jan 8, 2023, 1:18 PM Tomasz Nowak ***@***.***> wrote:
That won't fix the underlying problem and it won't prevent an user from
encountering the same bug, but I'm happy with such a solution.
—
Reply to this email directly, view it on GitHub
<#272 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAR5MSU5OZU3AONDEKNNCFTWRMAFVANCNFSM6AAAAAATUVSZW4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I have also just run into this exact error |
Interesting. Probably you haven't changed your local build setup nor the Rust version, so it might be related with the packages in the distribution. Now that there are two of us with this issue, there is a high chance that other users of the tool will also stumble on this bug -- that's bad news. Edit: oh wait, it was the non-vendored version that used the openssl already present in the system. I don't know anymore how to reproduce this bug. |
I'm also having this issue on Arch Linux:
|
@epage have you by any chance seen this sort of error before? Based on the printout, this is happening somewhere in |
THis is all with the latest git2, right? If so, then it is likely related to actually checking SSL certificates. My first lines of investigation would be whether crates-index is fetching using https or ssh and the second is if people running into this issue remapped their remotes to turn crates-index https fetches into ssh fetches. |
I have used the following, but it's currently commented out:
Looking at the connection using wireshark, the client is sending a TCP RST after trying to start a TLS session. |
cargo-semver-checks 0.16.1 has latest git2. I think remapping remotes to turn https into ssh fetches will fail with a different symptom and error message — we have an open issue for it: #295 @wcampbell0x2a does the client receive the "server hello" part of the TLS handshake, or does it RST before that? If there's a "server hello," can you check what cert is included / whether it's valid? |
Last I knew, crates-index did not support the sparse registry protocol. |
Fascinating, thanks for sharing it! If it's no trouble, I'd love to see the contents of the "Change Cipher Spec" and "Application Data" packets going in both directions between the "Server Hello" and the RST. This looks likely to be some sort of incompatibility between the vendored OpenSSL and the GitHub server, and I'd love to give the upstream maintainers as much data as possible in the bug report. If it's easier for you, feel free to attach the packet dump file corresponding to the screenshot — I don't mind digging into it on my own. Again, very much appreciate your help in diagnosing this unfortunate issue. |
I cannot reproduce this issue anymore -- probably updating the packages in my Arch solved the issue. Nevertheless #324 has been merged and released, thus it is now possible to use the openssl installed on the system (instead of the vendored one) through |
Can confirm this works, thanks for the fix |
Thanks for confirming and for your patience while we got to the bottom of this! |
Huh, somehow the issue is still present on my (other) machine. At least now I can also confirm that the feature works. |
Steps to reproduce the bug with the above code
cargo semver-checks check-release
Actual Behaviour
Updating index
Error: SSL error: unknown error; class=Ssl (16)
Caused by:
SSL error: unknown error; class=Ssl (16)
Expected Behaviour
It should work.
Generated System Information
Software version
cargo-semver-checks 0.12.1
Operating system
Linux 6.1.1-arch1-1
Command-line
cargo nightly version
Compile time information
Additional Context
I've asked people and tried other machines and it seems to not work only on my laptop.
The issues happens exactly here:
cargo-semver-checks/src/baseline.rs
Line 187 in f6b41f4
The tool works after removing
vendored-openssl
from the list of features.Further inspection of the bug requires going into
crates-index
code and debugging it there. I'll do that in some free time -- this issue is a tracking issue for the bug.The text was updated successfully, but these errors were encountered: