textmate2 @2.0-rc.4_2 build fails on Ruby ssl connection

[p-vitt (pvitt)]

I'm trying to install textmate2 on some macOS 10.12 machines, however, the build fails. The log file tells:

:info:build [743/1086] bin/gen_html > /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html~ -h Applications/TextMate/templates/header.html -f Applications/TextMate/templates/footer.html Applications/TextMate/about/Contributions.md Applications/TextMate/references.md && mv /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html~ /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html
:info:build FAILED: /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html
:info:build bin/gen_html > /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html~ -h Applications/TextMate/templates/header.html -f Applications/TextMate/templates/footer.html Applications/TextMate/about/Contributions.md Applications/TextMate/references.md && mv /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html~ /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/build/Applications/TextMate/TextMate.app/Contents/Resources/Contributions.html
:info:build /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert protocol version (OpenSSL::SSL::SSLError)
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in `block in connect'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in `connect'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:851:in `start'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:1373:in `request'
:info:build     from /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/bin/gen_credits.rb:84:in `user_by_email'
:info:build     from /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/bin/gen_credits.rb:119:in `block in generate_credits'
:info:build     from /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/bin/gen_credits.rb:107:in `each'
:info:build     from /opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4/bin/gen_credits.rb:107:in `generate_credits'
:info:build     from (erb):10:in `block in <main>'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/erb.rb:846:in `eval'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/erb.rb:846:in `block in result'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/erb.rb:847:in `call'
:info:build     from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/erb.rb:847:in `result'
:info:build     from bin/gen_html:29:in `expand_tpl'
:info:build     from bin/gen_html:114:in `block in <main>'
:info:build     from bin/gen_html:114:in `open'
:info:build     from bin/gen_html:114:in `<main>'
:info:build ninja: build stopped: subcommand failed.
:info:build Command failed:  cd "/opt/local/var/macports/build/_Users_pv_ports_local_repo_editors_textmate2/textmate2/work/textmate-2.0-rc.4" && ninja -j4 TextMate mate -v
:info:build Exit code: 1
:error:build Failed to build textmate2: command execution failed
:debug:build Error code: CHILDSTATUS 94613 1
:debug:build Backtrace: command execution failed
:debug:build     while executing
:debug:build "system {*}$notty {*}$nice $fullcmdstring"
:debug:build     invoked from within
:debug:build "command_exec build"
:debug:build     (procedure "portbuild::build_main" line 8)
:debug:build     invoked from within
:debug:build "$procedure $targetname"

This seems to be a SSL/TLS problem, however, I don't know why this is used and how it can be fixed. A very rough guess: Could this be caused by a strict ssl/tls library not accepting ssl anymore?

[neverpanic (Clemens Lang)]

textmate2 connects to the GitHub API during build to generate its about page. This sometimes fails due to GitHub's rate limits, although this does seem related to TLS. Maybe GitHub recently changed their TLS settings, or your machine has a problem with certificates or some other part of the TLS setup.

I haven't seen this particular issue during a textmate build before, although I've seen HTTP errors returned due to reaching the unauthenticated API limit.

[p-vitt (pvitt)]

For what it's worth: When I force bin/gen_html to use SSLv3

79     http.use_ssl = true
80     http.ssl_version = 'SSLv3'
81     http.verify_mode = OpenSSL::SSL::VERIFY_NONE

I get

/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)

[p-vitt (pvitt)]

Although I can't certainly rule out the possibility that it is my TLS setup causing this problem, it doesn't seem to be the culprit as I get this error message on all five machines I tested so far.

[p-vitt (pvitt)]

Establishing a SSL connection to api.github.com succeeds:

$ openssl version
OpenSSL 1.0.2o  27 Mar 2018
$ openssl s_client -connect api.github.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<shortened>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3588 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 03A5CD71AAD7CA0699E6E76694FFF93F6B8A3DDAC4F0880E6C9C87B9E4E932A6
    Session-ID-ctx:
    Master-Key: 6F8DE8B61F8CAEA3AB6FA48392E94FD5996128210C2B2F9BAC7F3730F382BE00E103BE6D2075533798A4BAF05E0B1472
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1528194802
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

[p-vitt (pvitt)]

Using this ​script, it says for SSLv3 and TLSv1 that my OpenSSL is too old, for auto and TLSv2 it fails with unknown SSL method. Some details:

$ ~/check.rb github.com SSLv3 VERIFY_NONE
Here's your Ruby and OpenSSL environment:

Ruby:           2.0.0p648 (2015-12-16 revision 53162) [universal.x86_64-darwin16]
RubyGems:       2.0.14.1
Compiled with:  OpenSSL 0.9.8zc 19 Mar 2015
Loaded version: OpenSSL 0.9.8zh 14 Jan 2016
SSL_CERT_FILE:  /System/Library/OpenSSL/cert.pem
SSL_CERT_DIR:   /System/Library/OpenSSL/certs

With that out of the way, let's see if you can connect to github.com...

Bundler connection to github.com:       failed  ❌  (uninitialized constant Bundler)
RubyGems connection to github.com:      failed  ❌  (SSL/TLS protocol version mismatch)
Ruby net/http connection to github.com: failed  ❌

Unfortunately, this Ruby can't connect to github.com. 😡
Your Ruby can't connect to github.com because your version of OpenSSL is too old. You'll need to upgrade your OpenSSL install and/or recompile Ruby to use a newer OpenSSL.
$ sudo port install ruby25
<snip>
$ ~/check.rb github.com SSLv3 VERIFY_NONE
Here's your Ruby and OpenSSL environment:

Ruby:           2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin16]
RubyGems:       2.7.6
Compiled with:  OpenSSL 1.0.2o  27 Mar 2018
Loaded version: OpenSSL 1.0.2o  27 Mar 2018
SSL_CERT_FILE:  /opt/local/etc/openssl/cert.pem
SSL_CERT_DIR:   /opt/local/etc/openssl/certs

With that out of the way, let's see if you can connect to github.com...

Bundler connection to github.com:       failed  ❌  (uninitialized constant Bundler)
RubyGems connection to github.com:      success ✅
Ruby net/http connection to github.com: failed  ❌

Unfortunately, this Ruby can't connect to github.com. 😡
Your Ruby can't connect to github.com because your version of OpenSSL is too old. You'll need to upgrade your OpenSSL install and/or recompile Ruby to use a newer OpenSSL.

Also with the latest ruby25/OpenSSL, the error stays the same.

[neverpanic (Clemens Lang)]

Hm, OpenSSL 1.0.2o should be able to connect to GitHub just fine, and in fact the net/http connection succeeds for me on 10.13 with OpenSSL 1.0.2 when using the ruby from the ruby23 port.

10.13 replaced the outdated OpenSSL with LibreSSL, which probably is new enough to talk to GitHub, so we may just have to add a dependency on our own Ruby for builds on 10.12. I do not understand why your Ruby 2.5 doesn't work though, mine does:

$ /opt/local/bin/ruby2.3 check.rb api.github.com
Here's your Ruby and OpenSSL environment:

Ruby:           2.3.7p456 (2018-03-28 revision 63024) [x86_64-darwin17]
RubyGems:       2.5.2.3
Bundler:        1.16.1
Compiled with:  OpenSSL 1.0.2o  27 Mar 2018
Loaded version: OpenSSL 1.0.2o  27 Mar 2018
SSL_CERT_FILE:  /opt/local/etc/openssl/cert.pem
SSL_CERT_DIR:   /opt/local/etc/openssl/certs

With that out of the way, let's see if you can connect to api.github.com...

Bundler connection to api.github.com:       success ✅
RubyGems connection to api.github.com:      success ✅
Ruby net/http connection to api.github.com: success ✅

Hooray! This Ruby can connect to api.github.com. You are all set to use Bundler and RubyGems. 👌

Is there anybody else on 10.12 that could test this? Otherwise, remind me next week, my work machine is still 10.12.

[neverpanic (Clemens Lang)]

I can in fact reproduce this on a 10.12 machine with /usr/bin/ruby (which uses OpenSSL 0.9.8). I'll have to add a ruby dependency for the textmate2 build on systems older than 10.13.

[neverpanic (Clemens Lang)]

In aba2eddb6a76a526c9d162d549c7394ee8a4d8b6/macports-ports (master):

textmate2: Use MacPorts ruby on Sierra and below

Ruby on all systems lower than High Sierra uses an old OpenSSL and can
no longer connect to GitHub, which fails the build.

Closes: #56559