[msys2] download components failure: SSL connect error #13286
Comments
JackBoosY
added
the
category:vcpkg-bug
|
See #13217 (comment) for workaround. |
JackBoosY
changed the title
|
?
NET40-Enable-TLS-12 |
|
@JackBoosY : Thank you very much for linking me to this workaround! @voskrese Both commands fails in PS for me (see output below), also I explicitly mentioned that ONLY TLS 1.3 would work, NOT 1.2. |
|
TLS 1.2 work
alternative and in general of course in vain removed PACMAN |
|
if https:// fail, use http:// as fallback. Since we verify file hash, transport layer security is less important. |
|
Hi guys, can you test if #13298 works? |
|
@JackBoosY : I messed up in my previous test (see my post history), your fix is working perfectly fine! @voskrese : You appaarently don't understand. TLS v1.2 does NOT work, just read the explanations on the site itself, ONLY TLS 1.3 does. Your Windows 10 PowerShell just adapts to this scenario and uses TLS 1.3 without telling you about it, that's why the command works for you - for me it obviously doesn't. You might want to explicitly DISABLE TLS 1.3 in Control Panel and try again afterwards, you'll be surprised. EDIT: Ah, and btw, downloading the packages directly without using pacman will of course only resolve this particular issue if you don't do it from https://repo.msys2.org any longer but from one of the quite few alternative sites. As not pacman or any other MSYS2 component enforces TLS 1.3, the site / domain does. |
|
@Christsnatcher Sorry, please pull the latest and try again, I forgot to modify some places. |
|
Ah, no problem. We wrote at the same time, I edited my previous post to reflect that your fix is working perfectly fine, thank you so much- now on to merging! ;) Look at this drastical cmd output change, impressive: |
|
I see that commit 46e25a1 has substituted downloads via pacman with direct downloads, but unfortunately not resolved this issue. Well, the magic word is patience I guess (though it's hard given a proper fix is available for more than one week already). Cheers! |
|
@Christsnatcher We are looking for a solution to enable TLS>1.2 in Windows 7. |
|
@Christsnatcher what is your error message? |
|
@JackBoosY: I honestly think this will be impossible if MS does not actively supports backporting. And I would still have the same issue on Windows 8.1, right? @linquize: Please check the first post. |
|
i add one line at scripts\cmake\vcpkg_download_distfile.cmake:161, then download ok string(REGEX REPLACE "^https://repo\.msys2\.org" "http://mirrors.ustc.edu.cn/msys2" url ${url}) |
|
@allenchou13 That's an OK temporary fix but it wouldn't be appropriate to replace the primary mirror with one of the replicas permanently, |
|
@BillyONeal : There are abviously dozens of potential "workarounds" available, but an issue as severe as this one simply has to to be resolved a proper way. Also, a regular MSYS2 installation comes with a preconfigured list of mirrors in "msys64\etc\pacman.d", the current one lists these servers: So there should be enough options to get the packages from I guess. -- edit -- I just noticed that even MSYS2 itself uses the "http form" of the repo.msys2.org domain to retrieve content, funny somehow. So why not simply implement fallback urls the very same way or just replace the TLS 1.3 https links with their resp. http counterparts? In which way would doing what MSYS2 does itself be "inappropriate" if I might ask? The current situation is "intolerable", that's my opinion. |
This is required because of microsoft/vcpkg#13286
|
It looks to me like this issue has been fixed by msys2.org starting to allow TLS1.2 again? |
|
@pkgw : You're actually right, wondering what has been their reasoning behind this decision. |
|
Fixed by msys upstream. |
|
good |
Host Environment
To Reproduce
Steps to reproduce the behavior:
vcpkg install [ffmpeg] (no triplet does work, and no additional feature does matter)
Failure logs
Additional context
Hello,
the issue here doesn't really seem to be a "port bug", because it affects all ports which need MSYS2 for building. The problem basically is that https://repo.msys2.org since a few days stricly disallows all other security protocols but TLS 1.3 - which users of other Windows OS but latest Windows 10 (like me) are unable to use for global WinHttp connections as it's simply not implemented in the resp. OS (and obviously never will be).
Since vcpkg apparently tries to acquire the package using PowerShell we are bound to WinHttp limits and the download has to fail, while 3rd-party-programs like e.g. wget, which support TLS 1.3 natively, are able to download from https://repo.msys2.org perfectly fine. So I actually have the package vcpkg tries to download for more than one hour on my HDD already, but fail to figure out where to place it so that vcpkg would pick it up (as quick bypass). Could you please tell me? Thank you.
The problem I mention here is a pretty huge one given that it effectively excludes all non-Win 10 users from the possibility to build MSYS2-dependent ports (which are not just a few as you surely know). I strongly recommend to add alternate download urls in addition to https://repo.msys2.org as soon as possible, thank you very much.
ffmpeg.zip
The text was updated successfully, but these errors were encountered: