dependency crates-index with vendored-openssl feature fails with an SSL error

[tonowak]

Steps to reproduce the bug with the above code

cargo semver-checks check-release

Actual Behaviour

Updating index
Error: SSL error: unknown error; class=Ssl (16)

Caused by:
SSL error: unknown error; class=Ssl (16)

Expected Behaviour

It should work.

Generated System Information

Software version

cargo-semver-checks 0.12.1

Operating system

Linux 6.1.1-arch1-1

Command-line

/home/tonowak/.cargo/bin/cargo-semver-checks semver-checks --bugreport

cargo nightly version

> cargo +nightly -V
cargo 1.68.0-nightly (c994a4a63 2022-12-18)

Compile time information

• Profile: release
• Target triple: x86_64-unknown-linux-gnu
• Family: unix
• OS: linux
• Architecture: x86_64
• Pointer width: 64
• Endian: little
• CPU features: fxsr,llvm14-builtins-abi,sse,sse2
• Host: x86_64-unknown-linux-gnu

Additional Context

I've asked people and tried other machines and it seems to not work only on my laptop.

The issues happens exactly here:

cargo-semver-checks/src/baseline.rs

Line 187 in f6b41f4

while need_retry(index.update())? {

The tool works after removing vendored-openssl from the list of features.

Further inspection of the bug requires going into crates-index code and debugging it there. I'll do that in some free time -- this issue is a tracking issue for the bug.

[obi1kenobi]

Should we make vendoring SSL an optional feature instead? Is that even feasible? I haven't looked into it, just throwing an idea out there.

…

On Sun, Jan 8, 2023, 12:12 PM Tomasz Nowak ***@***.***> wrote: Steps to reproduce the bug with the above code cargo semver-checks check-release Actual Behaviour Updating index Error: SSL error: unknown error; class=Ssl (16) Caused by: SSL error: unknown error; class=Ssl (16) Expected Behaviour It should work. Generated System Information Software version cargo-semver-checks 0.12.1 Operating system Linux 6.1.1-arch1-1 Command-line /home/tonowak/.cargo/bin/cargo-semver-checks semver-checks --bugreport cargo nightly version > cargo +nightly -V cargo 1.68.0-nightly (c994a4a63 2022-12-18) Compile time information - Profile: release - Target triple: x86_64-unknown-linux-gnu - Family: unix - OS: linux - Architecture: x86_64 - Pointer width: 64 - Endian: little - CPU features: fxsr,llvm14-builtins-abi,sse,sse2 - Host: x86_64-unknown-linux-gnu Additional Context I've asked people and tried other machines and it seems to not work only on my laptop. The issues happens exactly here: https://github.com/obi1kenobi/cargo-semver-checks/blob/f6b41f43cd8c70683e7fd901c34c76250baf3ef5/src/baseline.rs#L187 The tool works after removing vendored-openssl from the list of features. Further inspection of the bug requires going into crates-index code and debugging it there. I'll do that in some free time -- this issue is a tracking issue for the bug. — Reply to this email directly, view it on GitHub <#272>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAR5MSTMNJE3BHMF3W5332LWRLYOFANCNFSM6AAAAAATUVSZW4> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[tonowak]

Oh, that might be a good idea. From what I remember, vendored SSL is used, because there was some problem in the CI and using it was the easiest solution, right?

[obi1kenobi]

Yes, when it isn't vendored then the system must provide an OpenSSL installation of a supported version, and it must be discoverable. This process was a bit finicky and it was simpler just to not deal with it. We can make vendoring a default feature that can be disabled for cases where the user is sure their system provides an OpenSSL library already.

…

On Sun, Jan 8, 2023, 1:10 PM Tomasz Nowak ***@***.***> wrote: Oh, that might be a good idea. From what I remember, vendored SSL is used, because there was some problem in the CI and using it was the easiest solution, right? — Reply to this email directly, view it on GitHub <#272 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAR5MSR236WZEC6WDVWILWDWRL7IBANCNFSM6AAAAAATUVSZW4> . You are receiving this because you commented.Message ID: ***@***.***>

[tonowak]

That won't fix the underlying problem and it won't prevent an user from encountering the same bug, but I'm happy with such a solution.

[obi1kenobi]

Agreed. It's a reasonable workaround until we can find the root cause. Especially if we can catch the error when it happens and suggest disabling the feature + link to the tracking issue, so the user doesn't have to go look at the readme to figure out what happened and what to do about it.

…

On Sun, Jan 8, 2023, 1:18 PM Tomasz Nowak ***@***.***> wrote: That won't fix the underlying problem and it won't prevent an user from encountering the same bug, but I'm happy with such a solution. — Reply to this email directly, view it on GitHub <#272 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAR5MSU5OZU3AONDEKNNCFTWRMAFVANCNFSM6AAAAAATUVSZW4> . You are receiving this because you commented.Message ID: ***@***.***>

[staniewzki]

I have also just run into this exact error

[tonowak]

Interesting. Probably you haven't changed your local build setup nor the Rust version, so it might be related with the packages in the distribution. Now that there are two of us with this issue, there is a high chance that other users of the tool will also stumble on this bug -- that's bad news.

Edit: oh wait, it was the non-vendored version that used the openssl already present in the system. I don't know anymore how to reproduce this bug.

[wcampbell0x2a]

I'm also having this issue on Arch Linux:

$ uname -r -s
Linux 6.1.7-arch1-1
$ cargo --version
cargo 1.68.0-nightly (a5d47a725 2023-01-16)
$ cargo semver-checks check-release
    Updating index
Error: the server did not provide a certificate; class=Ssl (16)

Caused by:
    the server did not provide a certificate; class=Ssl (16)
$ cargo semver-checks check-release --version
cargo-semver-checks-check-release 0.16.1

[obi1kenobi]

@epage have you by any chance seen this sort of error before? Based on the printout, this is happening somewhere in git2 via crates-index and based on @tonowak's tests it seems to be related to whether OpenSSL is vendored in or not. The error message blames the server, but "GitHub's servers have misconfigured SSL" seems like a way too bold a claim with the evidence we have so far. Any advice?

[epage]

THis is all with the latest git2, right?

If so, then it is likely related to actually checking SSL certificates. My first lines of investigation would be whether crates-index is fetching using https or ssh and the second is if people running into this issue remapped their remotes to turn crates-index https fetches into ssh fetches.

[wcampbell0x2a]

I have used the following, but it's currently commented out:

$ bat ~/.cargo/config --plain
#[registry]
#crates-io.protocol = "sparse"

Looking at the connection using wireshark, the client is sending a TCP RST after trying to start a TLS session.

[obi1kenobi]

cargo-semver-checks 0.16.1 has latest git2. I think remapping remotes to turn https into ssh fetches will fail with a different symptom and error message — we have an open issue for it: #295

@wcampbell0x2a does the client receive the "server hello" part of the TLS handshake, or does it RST before that? If there's a "server hello," can you check what cert is included / whether it's valid?

[epage]

Last I knew, crates-index did not support the sparse registry protocol.

[wcampbell0x2a]

[obi1kenobi]

Fascinating, thanks for sharing it!

If it's no trouble, I'd love to see the contents of the "Change Cipher Spec" and "Application Data" packets going in both directions between the "Server Hello" and the RST. This looks likely to be some sort of incompatibility between the vendored OpenSSL and the GitHub server, and I'd love to give the upstream maintainers as much data as possible in the bug report.

If it's easier for you, feel free to attach the packet dump file corresponding to the screenshot — I don't mind digging into it on my own.

Again, very much appreciate your help in diagnosing this unfortunate issue.

[tonowak]

I cannot reproduce this issue anymore -- probably updating the packages in my Arch solved the issue. Nevertheless #324 has been merged and released, thus it is now possible to use the openssl installed on the system (instead of the vendored one) through cargo install cargo-semver-checks --locked --no-default-features. @wcampbell0x2a can you still reproduce this issue / does this temporary fix work for you?

[tonowak]

Actually, this bug is no longer present since #318 has been merged. It seems that using a newer version of git2 fixed the issue -- I've confirmed this by running the tool on the commit just before #318 has been merged and just after. I'm closing the issue :)

[wcampbell0x2a]

I cannot reproduce this issue anymore -- probably updating the packages in my Arch solved the issue. Nevertheless #324 has been merged and released, thus it is now possible to use the openssl installed on the system (instead of the vendored one) through cargo install cargo-semver-checks --locked --no-default-features. @wcampbell0x2a can you still reproduce this issue / does this temporary fix work for you?

Can confirm this works, thanks for the fix

[obi1kenobi]

Thanks for confirming and for your patience while we got to the bottom of this!

[tonowak]

Actually, this bug is no longer present since #318 has been merged. It seems that using a newer version of git2 fixed the issue -- I've confirmed this by running the tool on the commit just before #318 has been merged and just after. I'm closing the issue :)

Huh, somehow the issue is still present on my (other) machine. At least now I can also confirm that the feature works.