github git fetch failure: unknown SSL protocol error

[sgrewe (Stefan Grewe)]

:debug:fetch Executing: /usr/bin/git clone -q https://github.com/textmate/textmate.git /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_editors_textmate2/textmate2/work/textmate-2.0-alpha.9501 2>&1
:info:fetch fatal: unable to access 'https://github.com/textmate/textmate.git/': Unknown SSL protocol error in connection to github.com:-67674

executing the exact above git clone from the command line is working, though

[cooljeanius (Eric Gallager)]

GitHub has been changing their SSL setup recently:

• ​https://github.com/blog/1727-introducing-forward-secrecy-and-authenticated-encryption-ciphers
• ​https://github.com/blog/1734-improving-our-ssl-setup

Perhaps that has something to do with it?

[cooljeanius (Eric Gallager)]

Cc Me!

[neverpanic (Clemens Lang)]

Has duplicate #42360. I have no idea what's wrong, though. Do you have the git-core port installed? Which version of openssl do you have? What does otool -L /usr/bin/git print?

It certainly works for me, so there must be something different on your system compared to mine.

[sgrewe (Stefan Grewe)]

The following ports are currently installed:
 git-core @1.8.5.3_0+bash_completion+credential_osxkeychain+doc+pcre+perl5_12+python27+svn (active)

The following ports are currently installed:
 openssl @1.0.1f_0 (active)

~$otool -L /usr/bin/git
/usr/bin/git:
	/usr/lib/libxcselect.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

Some other ports have the same problem on my system

[neverpanic (Clemens Lang)]

Oh, /usr/bin/git is just a wrapper into the command line tools. Can you try finding a git binary somewhere in /Applications/Xcode.app/Contents/Developer and run otool -L on that?

What does env | grep DYLD print on your system?

[sgrewe (Stefan Grewe)]

is this the one you are looking for?

~$otool -L /Applications/Xcode.app/Contents/Developer/usr/bin/git 
/Applications/Xcode.app/Contents/Developer/usr/bin/git:
	/usr/lib/libpcre.0.dylib (compatibility version 1.0.0, current version 1.1.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

env | grep DYLD prints nothing

[neverpanic (Clemens Lang)]

Yes, that seems to be the right one. I'm surprised it doesn't link against curl and openssl, though. I also have no explanation for why this would work when used outside MacPorts, but not when used by MacPorts internally. My next suggestion would be to use wireshark to look at the traffic of a working and a non-working download. I'd assume they used different SSL/TLS standards and/or features (that should be visible without actually decrypting the traffic).

Can you also try editing /opt/local/share/macports/Tcl/port1.0/port_autoconf.tcl and replacing the value of "variable git_path" with /opt/local/bin/git and see if that fixes the fetch failure? (Make sure to change this back after trying, though.)

[sgrewe (Stefan Grewe)]

with variable git_path "/opt/local/bin/git" it is working! Should I leave it that way?

[sgrewe (Stefan Grewe)]

Well, I was too fast
git is now working, but:

:info:configure Downloading ‘https://api.textmate.org/bundles/default’…
:info:configure CSSM_ModuleLoad(): CSSMERR_DL_MDS_ERROR
:info:configure CSSM_ModuleLoad(): CSSMERR_DL_MDS_ERROR
:info:configure CSSM_ModuleLoad(): CSSMERR_DL_MDS_ERROR
:info:configure *** error importing key: No error.
:info:configure *** download_etag(‘https://api.textmate.org/bundles/default’): Unknown signee: ‘org.textmate.msheets’.
:info:configure *** error retrieving ‘https://api.textmate.org/bundles/default’ (no etag given)
:info:configure *** failed to update source: ‘TextMate Bundles’ (https://api.textmate.org/bundles/default)
:info:configure Command failed:  cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_editors_textmate2/textmate2/work/textmate-2.0-alpha.9505" && ./configure --prefix=/opt/local 
:info:configure Exit code: 1
:error:configure org.macports.configure for port textmate2 returned: configure failure: command execution failed
:debug:configure Error code: NONE
:debug:configure Backtrace: configure failure: command execution failed
    while executing
"$procedure $targetname"
:info:configure Warning: targets not executed for textmate2: org.macports.activate org.macports.configure org.macports.build org.macports.destroot org.macports.install
:notice:configure Please see the log file for port textmate2 for details:
    /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_ports_editors_textmate2/textmate2/main.log

[neverpanic (Clemens Lang)]

Please use WikiFormatting when posting in Trac and try to preview your posts. The current formatting makes it close to impossible to properly decipher the error messages. :/

Since the URLs you see also are HTTPS-URLs I think there might be a problem with some SSL routines on your system. Can you try running /usr/bin/curl -v https://api.textmate.org/bundles/default on your system and paste the output (preferrably enclosed in { { { and } } } without the spaces for formatting)? Also try doing the same with /opt/local/bin/curl, if you have it. What do otool -L /usr/lib/libssl.dylib and otool -L /usr/lib/libcrypto.dylib print on your system? What are the MD5 sums of these files?

[sgrewe (Stefan Grewe)]

~$/usr/bin/curl -v https://api.textmate.org/bundles/default
* Adding handle: conn: 0x7fa05280aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fa05280aa00) send_pipe: 1, recv_pipe: 0
* About to connect() to api.textmate.org port 443 (#0)
*   Trying 178.79.137.125...
* Connected to api.textmate.org (178.79.137.125) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: api.textmate.org (ANJGjwgFwEdOgck0)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> GET /bundles/default HTTP/1.1
> User-Agent: curl/7.30.0
> Host: api.textmate.org
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 04 Feb 2014 15:19:55 GMT
* Server Apache/2.2.22 (Ubuntu) is not blacklisted
< Server: Apache/2.2.22 (Ubuntu)
< Cache-Control: max-age=600
< Expires: Tue, 04 Feb 2014 15:29:55 +0000
< Last-Modified: Tue, 04 Feb 2014 15:19:55 +0000
< Location: http://s3.textmate.org/default.plist
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host api.textmate.org left intact



~$/opt/local/bin/curl -v https://api.textmate.org/bundles/default
* Hostname was NOT found in DNS cache
*   Trying 178.79.137.125...
* Connected to api.textmate.org (178.79.137.125) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: description=ANJGjwgFwEdOgck0; C=DK; CN=api.textmate.org; emailAddress=postmaster@textmate.org
* 	 start date: 2013-05-04 17:33:11 GMT
* 	 expire date: 2014-05-06 01:25:04 GMT
* 	 subjectAltName: api.textmate.org matched
* 	 issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 1 Primary Intermediate Server CA
* 	 SSL certificate verify ok.
> GET /bundles/default HTTP/1.1
> User-Agent: curl/7.35.0
> Host: api.textmate.org
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 04 Feb 2014 15:25:33 GMT
* Server Apache/2.2.22 (Ubuntu) is not blacklisted
< Server: Apache/2.2.22 (Ubuntu)
< Cache-Control: max-age=600
< Expires: Tue, 04 Feb 2014 15:35:33 +0000
< Last-Modified: Tue, 04 Feb 2014 15:25:33 +0000
< Location: http://s3.textmate.org/default.plist
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host api.textmate.org left intact


~$otool -L /usr/lib/libssl.dylib
/usr/lib/libssl.dylib:
	/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)


~$otool -L /usr/lib/libcrypto.dylib
/usr/lib/libcrypto.dylib:
	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
	/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/TrustEvaluationAgent (compatibility version 1.0.0, current version 25.0.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)


sorry for the formatting. MD5 will follow in about 30 minutes

[sgrewe (Stefan Grewe)]

MD5 (/usr/lib/libssl.dylib) = 4213b247b78558ff6467fd0ec79ddf88
MD5 (/usr/lib/libcrypto.dylib) = 5ac5a28d7b33026c1d468be43201990a

[sgrewe (Stefan Grewe)]

MD5 (/usr/lib/libssl.dylib) = 4213b247b78558ff6467fd0ec79ddf88
MD5 (/usr/lib/libcrypto.dylib) = 5ac5a28d7b33026c1d468be43201990a

[neverpanic (Clemens Lang)]

The md5sums match those on my system, so I guess we can conclude the problem doesn't occur because of a modified openssl installation.

I've committed a change to the textmate2 port in r116714 that might help tracking down the issue. Please run selfupdate, clean textmate2, run sudo port fetch textmate2 and attach the main.log after it failed.

[neverpanic (Clemens Lang)]

Oh, and you'll have to revert the change in /opt/local/share/macports/Tcl/port1.0/port_autoconf.tcl before you do that, please.

[sgrewe (Stefan Grewe)]

after your changes and selfupdate

[sgrewe (Stefan Grewe)]

after reverting git_path and selfupdate, git-clone fails again, please see attached new main.log

[neverpanic (Clemens Lang)]

The problem occurs in Apple's CommonCrypto/SecurityFramework code that implements SSL, the -67674 error code is "errSecMDSError", which has a one-line description of "A Module Directory Service error has occurred." I'll see if I can find the locations where this code is returned and find out what went wrong, but I suppose this is somehow related to your keychain.

[sgrewe (Stefan Grewe)]

But why is it working from the command line, then? Could the fact, that github.app is installed on my system, have anything to do with it?

[neverpanic (Clemens Lang)]

I think this might be yet another occasion where Apple uses some hidden method that MacPorts doesn't know about and thus doesn't take care enough to avoid breaking. From what I've seen, this error seems to be thrown when curl tries to read the root certificates (but I'm really very much guessing here – the code is just too complicated and there's not enough publicly available documentation to know for sure). ​https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/CDSA/CDSA.html and ​http://pubs.opengroup.org/onlinepubs/9629299/9_chap01.htm might help to further debug this.

As a shot in the dark, try opening Keychain Access.app and see if that fixes the problem. Are you changing to the root user before using MacPorts or do you use sudo port … – that might affect whether this works, too.

[sgrewe (Stefan Grewe)]

having Keychain Access.app open while running sudo port install ... did not help su root ... also did not help, unfortunately

[neverpanic (Clemens Lang)]

I'm afraid I'm at the end of my knowledge. I think this is an Apple bug and you should file a radar at ​http://bugreporter.apple.com.

Unless somebody at Apple involved with the SecurityFramework stuff reads this ticket and wants to shed some light? Anyone?

[sgrewe (Stefan Grewe)]

I will do so. Thank you for your help

[cooljeanius (Eric Gallager)]

Are you using curl-ca-bundle or certsync here? What does port provides /opt/local/share/curl/curl-ca-bundle.crt report for you?

[sgrewe (Stefan Grewe)]

~$port provides /opt/local/share/curl/curl-ca-bundle.crt
/opt/local/share/curl/curl-ca-bundle.crt is provided by: curl-ca-bundle

[neverpanic (Clemens Lang)]

That really doesn't matter in this case, because the problem occurs when using CommonCrypto, which uses the system's certificate store directly.

[neverpanic (Clemens Lang)]

There's nothing I can do about this ticket anymore; please report back if you hear from Apple what the cause might be, though.

[jeremyhu (Jeremy Huddleston Sequoia)]

It would've been nice to have a radar filed about this at the time. We just got a radar today referencing this MacPorts ticket, but I cannot reproduce the problem on Mountain Lion, Mavericks, or Yosemite. I'm able to run /usr/bin/git clone https://github.com/textmate/textmate.git just fine. Is anyone seeing this issue with any other servers?