"SSL connect error" on Windows

[gm23]

I am currently building servo on Windows 10 Pro, version 1511 (64-bit), with msys2 (64-bit) and inside the MinGW-w64 shell, and I get the following error message:

$ ./mach build --release --verbose
cargo build --release -v
 Downloading url v0.5.5
unable to get packages from source

Caused by:
  failed to download package `url v0.5.5` from https://crates.io/api/v1/crates/url/0.5.5/download

Caused by:
  SSL connect error
Build completed in 2.15s

Which is strange as curl works without problems (with redirection):

$ curl -v -L https://crates.io/api/v1/crates/url/0.5.5/download > file
* timeout on name lookup is not supported
*   Trying 23.21.180.91...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to crates.io (23.21.180.91) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/msys64/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2152 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: CN=www.crates.io
*        start date: Nov  5 16:52:33 2015 GMT
*        expire date: Nov  7 22:55:23 2016 GMT
*        subjectAltName: crates.io matched
*        issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3
*        SSL certificate verify ok.
} [5 bytes data]
> GET /api/v1/crates/url/0.5.5/download HTTP/1.1
> Host: crates.io
> User-Agent: curl/7.47.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 302 Found
< Connection: keep-alive
< Server: nginx
< Date: Thu, 10 Mar 2016 03:58:47 GMT
< Transfer-Encoding: chunked
< Location: https://crates-io.s3-us-west-1.amazonaws.com/crates/url/url-0.5.5.crate
< Set-Cookie: cargo_session=--PBVtejYpqgihoNU4gy+Z6jCDXMg=; HttpOnly; Secure; Path=/
< Strict-Transport-Security: max-age=31536000
< Via: 1.1 vegur
<
* Ignoring the response-body
{ [5 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host crates.io left intact
* Issue another request to this URL: 'https://crates-io.s3-us-west-1.amazonaws.com/crates/url/url-0.5.5.crate'
* timeout on name lookup is not supported
*   Trying 54.231.236.0...
* Connected to crates-io.s3-us-west-1.amazonaws.com (54.231.236.0) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/msys64/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2544 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: C=US; ST=Washington; L=Seattle; O=Amazon.com Inc.; CN=*.s3-us-west-1.amazonaws.com
*        start date: Dec  8 12:05:08 2015 GMT
*        expire date: Sep 21 12:00:00 2016 GMT
*        subjectAltName: crates-io.s3-us-west-1.amazonaws.com matched
*        issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
*        SSL certificate verify ok.
} [5 bytes data]
> GET /crates/url/url-0.5.5.crate HTTP/1.1
> Host: crates-io.s3-us-west-1.amazonaws.com
> User-Agent: curl/7.47.1
> Accept: */*
>
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{ [5 bytes data]
< HTTP/1.1 200 OK
< x-amz-id-2: bLCVbUt7EAiyHdocFASXq5cvWafLdRMqsy26ipTQLL9JtqAuav3qe4WyCc5gv4LPOajZ9XbaWWc=
< x-amz-request-id: 13BCB59D959EBB6A
< Date: Thu, 10 Mar 2016 03:58:49 GMT
< Last-Modified: Wed, 10 Feb 2016 15:54:33 GMT
< ETag: "94ea7a572a87cab3383bc45f9024a730"
< Accept-Ranges: bytes
< Content-Type: application/x-tar
< Content-Length: 281821
< Server: AmazonS3
<
{ [5 bytes data]
100  275k  100  275k    0     0   212k      0  0:00:01  0:00:01 --:--:--  764k
* Connection #1 to host crates-io.s3-us-west-1.amazonaws.com left intact

I even tried to disable the Windows firewall completely, still with the same result (also that would not explain why curl works and cargo does not).

I would appreciate if someone could name a few options to get a more verbose output from cargo (more verbose than --verbose).

[alexcrichton]

Do you have any other firewalls or antivirus programs in play? We use WinHTTP so whether or not curl works locally is likely a red herring.

[pffang]

Sadly, http.cainfo doesn't work on Windows MSYS2.

[alexcrichton]

@pffang oh I think that's because on Windows you can't actually specify a custom certificate for a secure connection, the system root trust store must be modified. I think curl may actually just ignore that option on Windows...

[pffang]

@alexcrichton Em...But the custom certificate what is used in my Ubuntu machine was exported from 'Trusted Root Certification Authorities' of my Windows machine.
Administrators already installed the custom certificates in every computer of my company.

[alexcrichton]

@pffang oh dear! In that case I think libcurl should work, although I don't know why it wouldn't :(

Unless maybe some other certificate is being negotiated?

[nugend]

In general the way cargo is surfacing connection related issues is really frustrating. I've just spent 2+ hours banging my head trying to figure out what is going wrong with my Proxy (I think my problem might have something to do with NTLM... maybe? still not really sure).

[alexcrichton]

@nugend unfortunately I think these errors are originating from libcurl and we're not getting much more from the library currently. Do you have the ability to try a dev version of Cargo though? Doing some digging I found another option in libcurl which may help us extract more information.

[alexcrichton]

I've updated the libcurl Rust bindings, and if you can give #3137 a whirl it'd be valuable to see if that has an impact here!

I know libcurl errors also can come from libgit2, and I want to make sure we're not accidentally losing information there as well.

[nugend]

@alexcrichton I'll see what I can do, but (please correct me if I'm wrong): Don't I need to be able to have cargo download dependencies in order to build cargo?

[alexcrichton]

@nugend true yeah, to build Cargo you'll need Cargo to download pieces here and there. Another option is to wait until #3137 is merged and we'll have new nightlies available.

[alexcrichton]

@nugend as a heads up #3137 landed recently so the next nightly of Cargo should have that extra info. Want to give it a spin and see if it gives you a better error?

[nugend]

So I actually managed to figure out my problem (the cert chain for the proxy was separate from the global cert chain and they needed to be combined correctly).

But I did just try the nightly version with the correct configs removed (tried stepping through a few of the scenarios I was trying to fix it with)

Some of the error messages are definitely better. The error message that I was getting stuck on (60) isn't really better at all though (basically, not knowing which peer certificate can't be authenticated makes it very confusing about what's going on and the curl error text doesn't report jack shit about that. I'm also honestly confused about how the curl command line is finding certificates that work with the proxy, but that's got nothing to do with Cargo).

Still, it's definitely a net win in terms of making it easier to diagnose why some of the failures are happening.

The only additional suggestion I would make here is that it would be helpful to indicate that the error code reported is a libcurl error code.

[alexcrichton]

Awesome, thanks for the update @nugend!

[drazde]

I have a similar problem on Windows 7

C:\>cargo install racer --verbose
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading racer v2.0.5
error: [35] SSL connect error (schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.)

a. I'm not behind proxy (I also try with another connection)
b. I try to switch off firewall and antivirus without success
b. I try with set cainfo (or sslVerify) but without success

What can I try now?

[alexcrichton]

@drazde that looks like it may be a local configuration issue? Do you have a custom CA installed? Docs like this I found on google suggest something along the lines of:

 certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

(probably changing the specifics depending on your local setup)

[drazde]

@alexcrichton thanks for your answer!.
I don't have a custon CA, or I don't think, I'm not very expert of this...

I try to execute the command that you explain, but it give me this:

CertUtil: comando -setreg NON RIUSCITO: 0x80070002 (WIN32: 2)
CertUtil: Impossibile trovare il file specificato.

Seem the CRLFlags doesn't exists !?!

[drazde]

C:\>certutil -config - -ping
Non sono state trovate Autorità di certificazione attive: Dati disponibili esauriti. 0x80070103 (WIN32/HTTP: 259)
CertUtil: comando -ping NON RIUSCITO: 0x80070103 (WIN32/HTTP: 259)
CertUtil: Dati disponibili esauriti.

[alexcrichton]

@drazde yeah I'm not so sure myself, I just found that via googling. The error you're seeing seems specifically related to revocations, though.

[drazde]

@alexcrichton yes seems my computer can't verify if the certificate is still valid or not. My computer is part of a domain, I don't know if this can change something

[alexcrichton]

My guess is that something is slightly nonstandard because it works most of the time elsewhere on Windows, but unfortunately I'm not sure what :(

[JasonKleban]

I'm getting these errors too. I don't know what the mechanism is, but while the internet does not think I'm on a proxy, all(?) the ssl certs that come in are getting rewritten as signed by firewall.company.my which is trusted in the Windows Certificate Store, but perhaps not used by the libraries that Cargo uses.

I tried adding a "=== BEGIN TRUSTED CERT ===" of the firewall.company.my exported from the Windows Certificate Manager to "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.trust.crt" on a whim. I think that does change the behavior of curl because it no longer reports a self-signed cert in the chain when I have it in verbose mode, but this still errors out for cargo install racer (my current goal).

[alexcrichton]

@JasonKleban in theory at least Cargo is using schannel everywhere for SSL connections, which should use the default Windows certificate store (I believe). Could you gist the full error you're seeing though?

[JasonKleban]

C:\>cargo -V
cargo 0.16.0-nightly (6e0c18c 2017-01-27)

C:\>cargo install racer --verbose
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading racer v2.0.5
error: [35] SSL connect error (schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.)

This is all of it.

[alexcrichton]

This is maybe a bug in how we're using libcurl? Or maybe a bug in how libcurl interacts with schannel (the system SSL library on Windows)? Or maybe a bug in Cargo itself?

Unfortunately I'm not sure what's going on here. We should be using the system defaults, so if we're not there's a bug somewhere and I don't really know what's up

[alexcrichton]

This mailing list message seems relevant, notably:

If you are unable to find the cause and your circumstances allow you can
disable revocation checking per session in curl w/ WinSSL by using
option --ssl-no-revoke [1] in curl >= 7.44 or by passing flag
CURLSSLOPT_NO_REVOKE to CURLOPT_SSL_OPTIONS [2] in libcurl >= 7.44.

So we may just need to add a binding to this in curl-rust and then configure that in Cargo.

[alexcrichton]

@JasonKleban or @drazde, would you have the ability to test out a custom build of Cargo?

[alexcrichton]

If possible, I've uploaded a local build of Cargo which supports the options mentioned above. You can add this to .cargo/config to enable it:

[http]
check-revoke = false

[drazde]

Ooh wow @alexcrichton, great!
Now it works

Thanks man

[alexcrichton]

Ok thanks for checking @drazde! I've sent a PR.

[JasonKleban]

Working for me too! Thanks! Is bypassing this check the right thing to do? Is it that the firewall cert is setup improperly and can't be evaluated for a revocation? What I heard was that this was an issue with schannel integration.

[alexcrichton]

@JasonKleban I believe so, yes, that option is just telling schannel to bypass revocation entirely. Beyond that though I don't know if it's a local configuration problem or what it would be indicative of :(

[aiodsunil]

Hi Alex,
I just started today to learn rust but trying to add dependnices geting below errors,

Downloading regex v0.1.80
error: unable to get packages from source

Caused by:
[35] SSL connect error (schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.)

can you explain what's file type under config folder, i have added below
.cargo\config\Cargo.toml
i added below
[http]
check-revoke = false

now i am geting error
$ cargo build --verbose
error: Couldn't load Cargo configuration

Caused by:
Access is denied. (os error 5)

Can you please help urgently

[alexcrichton]

@aiodsunil oh dear that sounds bad! Out of curiosity, can you visit crates.io in a web browser? (or github.com?)

The configuration error seems quite odd as well, is there perhaps some local filesystem permissions error?

[aiodsunil]

look like some permission issue .i also truned off SSL but it's still giving the issue not sure what i need to do further, i am able to build/run rust program without dependnecies
cargo-0.17.0-nightly (f9e5481 2017-03-03)

[aiodsunil]

i am still eting below error

Caused by:
[35] SSL connect error (schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.)

Can someone help please not able to progress

[alexcrichton]

@aiodsunil that error message seems to indicate that your system is not trusting the certificate from crates.io (or maybe github.com, I'm not sure). This can happen if you've got a firewall that's intercepting TLS communication and isn't properly configured to be trusted on your local system.

Beyond that though it's tough to diagnose from just the information you've gisted.

[aiodsunil]

now this issue resolved after created config file under ./cargo folder and putted below line
[http]
check-revoke = false

[carols10cents]

Sounds like all instances on this issue have been solved, so I'm closing this. Please open new issues if this happens again in the future!

[vigneshdv]

I'm currently trying to work through the exercises on exercism.io.
I'm on Windows 10 on a office laptop. However, I've been trying these exercises out at home with the office proxy disabled and connected directly to the internet.
I managed to install rustup stable and nightly for windows. Now I was setting up my Visual Studio Code along with the necessary extensions for Rust. The RLS extension informed that I was missing racer, rustfmt, rustsym. I hit the install button and it started the process but failed with the following error message.

Updating registry https://github.com/rust-lang/crates.io-index
Downloading racer v2.0.10
error: [35] SSL connect error (schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.)

Based on the suggestions in the above conversation I added the following lines to the that exercises Cargo.toml, the config file eventually looks like this:

[package]
name = "hello-world"
version = "1.0.0"

[http]
check-revoke = false

I re-ran the command within the project structure and I ended up getting the same error message again.

Also, I see that people have mentioned place the configuration file within .cargo/ folder. Some clarifications would be nice here:

1. Is this the global .cargo folder present within the home folder of the user?
2. What should the name of the configuration file be?

Any help would be appreciated here. While installing these particular crates is not essential now, if I cant resolve this issue I wont be able to install any other crates in the future as well.

Thanks in advance!

cc: @alexcrichton

[vigneshdv]

So I went on the IRC channel and got cargo to work. Looks like the config file has no extensions and is to be actually called "config". Mistake on my part since I saw that the format was toml and hence would require an extension of ".toml". Also, I assumed ".cargo\config", meant a folder config inside .cargo.

Thanks for the help anyways.

[brunoxti]

[SOLVED] I did not have the .cargo \ config file, so I created the file, right-click the new file text, name it with single quotation marks Ex: 'config'.
So rename without single quotation.

And I've added the following lines.

[http]


check-revoke = false

[Joe23232]

@brunoxti Hi, I have tried as you have suggested, it is still not allowing me to download any dependency. But it does work without quotations.

[liudonghua123]

I tried to set check-revoke = false in ~/.cargo/config, but it did not work.

And finally, I changed the curl in path (I have multi curl in path), and it worked now.

C:\Users\Liu.D.H>cargo  install mdcat  -vvv
    Updating `https://mirrors.tuna.tsinghua.edu.cn/git/crates.io-index.git` index
 Downloading crates ...
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: failed to receive handshake, SSL/TLS connection failed)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: failed to receive handshake, SSL/TLS connection failed)
error: failed to download from `https://crates.io/api/v1/crates/mdcat/0.22.1/download`

Caused by:
  [35] SSL connect error (schannel: failed to receive handshake, SSL/TLS connection failed)

C:\Users\Liu.D.H>set path=C:\Windows\System32;%path%

C:\Users\Liu.D.H>where curl
C:\Windows\System32\curl.exe
C:\ProgramData\chocolatey\bin\curl.exe
C:\Users\Liu.D.H\scoop\shims\curl.exe
C:\msys64\usr\bin\curl.exe

C:\Users\Liu.D.H>cargo  install mdcat  -vvv
    Updating `https://mirrors.tuna.tsinghua.edu.cn/git/crates.io-index.git` index
 Downloading crates ...
  Downloaded mdcat v0.22.1 (registry `https://mirrors.tuna.tsinghua.edu.cn/git/crates.io-index.git`)
  Installing mdcat v0.22.1
 Downloading crates ...
  Downloaded anyhow v1.0.36 (registry `https://mirrors.tuna.tsinghua.edu.cn/git/crates.io-index.git`)
。......

[ltexensis]

I'm having the same probably as the person above. I tried creating ~/.config/config.toml, ~/my-rust-project/.cargo/config.toml, and ~/my-rust-project/.cargo/config files, all with

[http]
check-revoke

.. and I still get this error.

291269@S010RMB129-18 UCRT64 ~/rs-tetris
$ cargo run
warning: Both C:\Users\291269\msys2\home\291269\rs-tetris\.cargo\config and C:\Users\291269\msys2 \home\291269\rs-tetris\.cargo\config.toml exist. Using C:\Users\291269\msys2\home\291269\rs-tetris \.cargo\config
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: failed to rec
eive handshake, SSL/TLS connection failed)
error: failed to download from https://crates.io/api/v1/crates/autocfg/1.1.0/download

Caused by:
[35] SSL connect error (schannel: failed to receive handshake, SSL/TLS connection failed)

This is what comes up when I use 'where curl' like the person above.

291269@S010RMB129-18 UCRT64 ~/rs-tetris
$ where curl
C:\Users\291269\msys2\ucrt64\bin\curl.exe
C:\Users\291269\msys2\usr\bin\curl.exe
C:\Windows\System32\curl.exe

I'm using MSYS UCRT64 if that helps.

Thank y'all in advance.

[Eh2406]

try

[http]
check-revoke = false

Also, please open a new issue instead of commenting on one closed 7 years ago.

[ltexensis]

Thanks for the quick response.

I've tried that (~/.config/config.toml, ~/my-rust-project/.cargo/config.toml, and ~/my-rust-project/.cargo/config) and no dice.

I'm working on a new issue right now.