Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS Errors Index Page #214

Open
drojf opened this issue Jul 1, 2023 · 0 comments
Open

SSL/TLS Errors Index Page #214

drojf opened this issue Jul 1, 2023 · 0 comments

Comments

@drojf
Copy link
Collaborator

drojf commented Jul 1, 2023

This page indexes all the SSL/TLS problems we've had, and also records the recent SSL/TLS problem we've had.

Recent SSL/TLS issue

Recently, two MacOS 10 users had an SSL error where, even though we had implemented the CURL fallback, even CURL was using certificates which wouldn't download from our 07th-mod site.

To fix this, I sent one user a version of the installer which uses a bundled certificate, if all else fails (as suggsted in #80).

Further Explanation

Previously, we only used CURL (set the CURL executable) if it could download from the 07th-mod website.

Now, we set the CURL executable as long as it is available (even if it cannot download).

Then, we try to figure out which CURL certificate we should use, by trying each one:

  • Use whatever the default is (no argument passed to CURL)
  • Use any certificates found on the system (currently we only find certs on Linux though)
  • Use the bundled certificate

The installer will try both the 07th-mod and github websites, and if a cert works with both then it chooses that one for the rest of the install.

The bundled certificate is retrieved from the CURL website https://curl.se/docs/caextract.html . It will be updated each time the installer is rebuilt. We would need to re-build the installer periodically as the certs would eventually expire, though, but I guess this is a last resort anyway.

Known Issues

  • Testing the certifcate requires/uses only CURL
  • Currently Python's URLOpen does not use the chosen certificate. But wherever it is used in the installer, we have a CURL fallback.
  • Also, while this certificate is also passed into Aria2, I noticed that on my Windows machine it doesn't like the certificate format. But on the MacOS logs, it appears to use the certificate.

List of previous TLS/SSL issues
drojf added a commit that referenced this issue Jul 1, 2023
@drojf
Bundle certificate (for use with CURL) with installer
22b3392 
 - Only works currently if CURL is available
 - Tries various different cert options to find one which works with both github and 07th-mod
 - While the certificate is passed to aria2c, I get the error "TLS CA bundle files are not supported" on Windows. Not sure about linux/mac
 - See #214
 - Old certificate in the windows bootstrap folder has been deleted
 - Certificate is downloaded from https://curl.se/docs/caextract.html when the installer is build
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@drojf