Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#42063 closed defect (worksforme)

github git fetch failure: unknown SSL protocol error

Reported by: sgrewe (Stefan Grewe) Owned by: neverpanic (Clemens Lang)
Priority: Normal Milestone:
Component: ports Version: 2.2.1
Keywords: Cc: cooljeanius (Eric Gallager), gullevek (Clemens Schwaighofer)
Port: textmate2 gitx

Description (last modified by ryandesign (Ryan Carsten Schmidt))

:debug:fetch Executing: /usr/bin/git clone -q https://github.com/textmate/textmate.git /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_editors_textmate2/textmate2/work/textmate-2.0-alpha.9501 2>&1
:info:fetch fatal: unable to access 'https://github.com/textmate/textmate.git/': Unknown SSL protocol error in connection to github.com:-67674

executing the exact above git clone from the command line is working, though

Attachments (2)

main.log (74.2 KB) - added by sgrewe (Stefan Grewe) 10 years ago.
main.2.log (74.9 KB) - added by sgrewe (Stefan Grewe) 10 years ago.
after your changes and selfupdate

Download all attachments as: .zip

Change History (30)

Changed 10 years ago by sgrewe (Stefan Grewe)

Attachment: main.log added

comment:1 Changed 10 years ago by cooljeanius (Eric Gallager)

comment:2 Changed 10 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:3 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)

Description: modified (diff)
Keywords: SSL removed
Owner: changed from macports-tickets@… to cal@…

comment:4 Changed 10 years ago by neverpanic (Clemens Lang)

Cc: gullevek@… added
Port: gitx added
Summary: textmate2 fetch failure: unknown SSL protocol errorgithub git fetch failure: unknown SSL protocol error

Has duplicate #42360. I have no idea what's wrong, though. Do you have the git-core port installed? Which version of openssl do you have? What does otool -L /usr/bin/git print?

It certainly works for me, so there must be something different on your system compared to mine.

comment:5 in reply to:  4 Changed 10 years ago by sgrewe (Stefan Grewe)

The following ports are currently installed:
 git-core @1.8.5.3_0+bash_completion+credential_osxkeychain+doc+pcre+perl5_12+python27+svn (active)
The following ports are currently installed:
 openssl @1.0.1f_0 (active)
~$otool -L /usr/bin/git
/usr/bin/git:
	/usr/lib/libxcselect.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

Some other ports have the same problem on my system

Last edited 8 years ago by ryandesign (Ryan Carsten Schmidt) (previous) (diff)

comment:6 Changed 10 years ago by neverpanic (Clemens Lang)

Oh, /usr/bin/git is just a wrapper into the command line tools. Can you try finding a git binary somewhere in /Applications/Xcode.app/Contents/Developer and run otool -L on that?

What does env | grep DYLD print on your system?

comment:7 in reply to:  6 Changed 10 years ago by sgrewe (Stefan Grewe)

is this the one you are looking for?

~$otool -L /Applications/Xcode.app/Contents/Developer/usr/bin/git 
/Applications/Xcode.app/Contents/Developer/usr/bin/git:
	/usr/lib/libpcre.0.dylib (compatibility version 1.0.0, current version 1.1.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

env | grep DYLD prints nothing

Last edited 8 years ago by ryandesign (Ryan Carsten Schmidt) (previous) (diff)

comment:8 Changed 10 years ago by neverpanic (Clemens Lang)

Yes, that seems to be the right one. I'm surprised it doesn't link against curl and openssl, though. I also have no explanation for why this would work when used outside MacPorts, but not when used by MacPorts internally. My next suggestion would be to use wireshark to look at the traffic of a working and a non-working download. I'd assume they used different SSL/TLS standards and/or features (that should be visible without actually decrypting the traffic).

Can you also try editing /opt/local/share/macports/Tcl/port1.0/port_autoconf.tcl and replacing the value of "variable git_path" with /opt/local/bin/git and see if that fixes the fetch failure? (Make sure to change this back after trying, though.)

comment:9 in reply to:  8 Changed 10 years ago by sgrewe (Stefan Grewe)

with variable git_path "/opt/local/bin/git" it is working! Should I leave it that way?

comment:10 in reply to:  8 Changed 10 years ago by sgrewe (Stefan Grewe)

Well, I was too fast
git is now working, but:

:info:configure Downloading ‘https://api.textmate.org/bundles/default’…
:info:configure CSSM_ModuleLoad(): CSSMERR_DL_MDS_ERROR
:info:configure CSSM_ModuleLoad(): CSSMERR_DL_MDS_ERROR
:info:configure CSSM_ModuleLoad(): CSSMERR_DL_MDS_ERROR
:info:configure *** error importing key: No error.
:info:configure *** download_etag(‘https://api.textmate.org/bundles/default’): Unknown signee: ‘org.textmate.msheets’.
:info:configure *** error retrieving ‘https://api.textmate.org/bundles/default’ (no etag given)
:info:configure *** failed to update source: ‘TextMate Bundles’ (https://api.textmate.org/bundles/default)
:info:configure Command failed:  cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_editors_textmate2/textmate2/work/textmate-2.0-alpha.9505" && ./configure --prefix=/opt/local 
:info:configure Exit code: 1
:error:configure org.macports.configure for port textmate2 returned: configure failure: command execution failed
:debug:configure Error code: NONE
:debug:configure Backtrace: configure failure: command execution failed
    while executing
"$procedure $targetname"
:info:configure Warning: targets not executed for textmate2: org.macports.activate org.macports.configure org.macports.build org.macports.destroot org.macports.install
:notice:configure Please see the log file for port textmate2 for details:
    /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_ports_editors_textmate2/textmate2/main.log

Last edited 10 years ago by sgrewe (Stefan Grewe) (previous) (diff)

comment:11 Changed 10 years ago by neverpanic (Clemens Lang)

Please use WikiFormatting when posting in Trac and try to preview your posts. The current formatting makes it close to impossible to properly decipher the error messages. :/

Since the URLs you see also are HTTPS-URLs I think there might be a problem with some SSL routines on your system. Can you try running /usr/bin/curl -v https://api.textmate.org/bundles/default on your system and paste the output (preferrably enclosed in { { { and } } } without the spaces for formatting)? Also try doing the same with /opt/local/bin/curl, if you have it. What do otool -L /usr/lib/libssl.dylib and otool -L /usr/lib/libcrypto.dylib print on your system? What are the MD5 sums of these files?

Last edited 10 years ago by neverpanic (Clemens Lang) (previous) (diff)

comment:12 in reply to:  11 Changed 10 years ago by sgrewe (Stefan Grewe)

~$/usr/bin/curl -v https://api.textmate.org/bundles/default
* Adding handle: conn: 0x7fa05280aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fa05280aa00) send_pipe: 1, recv_pipe: 0
* About to connect() to api.textmate.org port 443 (#0)
*   Trying 178.79.137.125...
* Connected to api.textmate.org (178.79.137.125) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: api.textmate.org (ANJGjwgFwEdOgck0)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> GET /bundles/default HTTP/1.1
> User-Agent: curl/7.30.0
> Host: api.textmate.org
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 04 Feb 2014 15:19:55 GMT
* Server Apache/2.2.22 (Ubuntu) is not blacklisted
< Server: Apache/2.2.22 (Ubuntu)
< Cache-Control: max-age=600
< Expires: Tue, 04 Feb 2014 15:29:55 +0000
< Last-Modified: Tue, 04 Feb 2014 15:19:55 +0000
< Location: http://s3.textmate.org/default.plist
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host api.textmate.org left intact



~$/opt/local/bin/curl -v https://api.textmate.org/bundles/default
* Hostname was NOT found in DNS cache
*   Trying 178.79.137.125...
* Connected to api.textmate.org (178.79.137.125) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: description=ANJGjwgFwEdOgck0; C=DK; CN=api.textmate.org; emailAddress=postmaster@textmate.org
* 	 start date: 2013-05-04 17:33:11 GMT
* 	 expire date: 2014-05-06 01:25:04 GMT
* 	 subjectAltName: api.textmate.org matched
* 	 issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 1 Primary Intermediate Server CA
* 	 SSL certificate verify ok.
> GET /bundles/default HTTP/1.1
> User-Agent: curl/7.35.0
> Host: api.textmate.org
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 04 Feb 2014 15:25:33 GMT
* Server Apache/2.2.22 (Ubuntu) is not blacklisted
< Server: Apache/2.2.22 (Ubuntu)
< Cache-Control: max-age=600
< Expires: Tue, 04 Feb 2014 15:35:33 +0000
< Last-Modified: Tue, 04 Feb 2014 15:25:33 +0000
< Location: http://s3.textmate.org/default.plist
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host api.textmate.org left intact


~$otool -L /usr/lib/libssl.dylib
/usr/lib/libssl.dylib:
	/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)


~$otool -L /usr/lib/libcrypto.dylib
/usr/lib/libcrypto.dylib:
	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
	/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/TrustEvaluationAgent (compatibility version 1.0.0, current version 25.0.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)


sorry for the formatting. MD5 will follow in about 30 minutes

Last edited 10 years ago by sgrewe (Stefan Grewe) (previous) (diff)

comment:13 in reply to:  11 ; Changed 10 years ago by sgrewe (Stefan Grewe)

MD5 (/usr/lib/libssl.dylib) = 4213b247b78558ff6467fd0ec79ddf88
MD5 (/usr/lib/libcrypto.dylib) = 5ac5a28d7b33026c1d468be43201990a
Last edited 10 years ago by sgrewe (Stefan Grewe) (previous) (diff)

comment:14 in reply to:  13 Changed 10 years ago by sgrewe (Stefan Grewe)

MD5 (/usr/lib/libssl.dylib) = 4213b247b78558ff6467fd0ec79ddf88
MD5 (/usr/lib/libcrypto.dylib) = 5ac5a28d7b33026c1d468be43201990a

comment:15 Changed 10 years ago by neverpanic (Clemens Lang)

The md5sums match those on my system, so I guess we can conclude the problem doesn't occur because of a modified openssl installation.

I've committed a change to the textmate2 port in r116714 that might help tracking down the issue. Please run selfupdate, clean textmate2, run sudo port fetch textmate2 and attach the main.log after it failed.

comment:16 Changed 10 years ago by neverpanic (Clemens Lang)

Oh, and you'll have to revert the change in /opt/local/share/macports/Tcl/port1.0/port_autoconf.tcl before you do that, please.

Changed 10 years ago by sgrewe (Stefan Grewe)

Attachment: main.2.log added

after your changes and selfupdate

comment:17 in reply to:  16 Changed 10 years ago by sgrewe (Stefan Grewe)

after reverting git_path and selfupdate, git-clone fails again, please see attached new main.log

comment:18 Changed 10 years ago by neverpanic (Clemens Lang)

The problem occurs in Apple's CommonCrypto/SecurityFramework code that implements SSL, the -67674 error code is "errSecMDSError", which has a one-line description of "A Module Directory Service error has occurred." I'll see if I can find the locations where this code is returned and find out what went wrong, but I suppose this is somehow related to your keychain.

comment:19 Changed 10 years ago by sgrewe (Stefan Grewe)

But why is it working from the command line, then? Could the fact, that github.app is installed on my system, have anything to do with it?

comment:20 Changed 10 years ago by neverpanic (Clemens Lang)

I think this might be yet another occasion where Apple uses some hidden method that MacPorts doesn't know about and thus doesn't take care enough to avoid breaking. From what I've seen, this error seems to be thrown when curl tries to read the root certificates (but I'm really very much guessing here – the code is just too complicated and there's not enough publicly available documentation to know for sure). https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/CDSA/CDSA.html and http://pubs.opengroup.org/onlinepubs/9629299/9_chap01.htm might help to further debug this.

As a shot in the dark, try opening Keychain Access.app and see if that fixes the problem. Are you changing to the root user before using MacPorts or do you use sudo port … – that might affect whether this works, too.

comment:21 Changed 10 years ago by sgrewe (Stefan Grewe)

having Keychain Access.app open while running sudo port install ... did not help su root ... also did not help, unfortunately

comment:22 Changed 10 years ago by neverpanic (Clemens Lang)

I'm afraid I'm at the end of my knowledge. I think this is an Apple bug and you should file a radar at http://bugreporter.apple.com.

Unless somebody at Apple involved with the SecurityFramework stuff reads this ticket and wants to shed some light? Anyone?

comment:23 Changed 10 years ago by sgrewe (Stefan Grewe)

I will do so. Thank you for your help

comment:24 Changed 10 years ago by cooljeanius (Eric Gallager)

Are you using curl-ca-bundle or certsync here? What does port provides /opt/local/share/curl/curl-ca-bundle.crt report for you?

comment:25 in reply to:  24 Changed 10 years ago by sgrewe (Stefan Grewe)

~$port provides /opt/local/share/curl/curl-ca-bundle.crt
/opt/local/share/curl/curl-ca-bundle.crt is provided by: curl-ca-bundle

comment:26 Changed 10 years ago by neverpanic (Clemens Lang)

That really doesn't matter in this case, because the problem occurs when using CommonCrypto, which uses the system's certificate store directly.

comment:27 Changed 10 years ago by neverpanic (Clemens Lang)

Resolution: worksforme
Status: newclosed

There's nothing I can do about this ticket anymore; please report back if you hear from Apple what the cause might be, though.

comment:28 Changed 9 years ago by jeremyhu (Jeremy Huddleston Sequoia)

It would've been nice to have a radar filed about this at the time. We just got a radar today referencing this MacPorts ticket, but I cannot reproduce the problem on Mountain Lion, Mavericks, or Yosemite. I'm able to run /usr/bin/git clone https://github.com/textmate/textmate.git just fine. Is anyone seeing this issue with any other servers?

Last edited 9 years ago by jeremyhu (Jeremy Huddleston Sequoia) (previous) (diff)
Note: See TracTickets for help on using tickets.