Issue 2715: hub.darcs.net does not support "Extended Main Secret" - Darcs bug tracker

Title	hub.darcs.net does not support "Extended Main Secret"
Priority	urgent	Status	resolved
Milestone		Resolved in	2.18.1
Superseder		Nosy List	ganesh
Assigned To		Topics

Created on 2024-02-18.13:13:11 by ganesh, last changed 2024-05-24.15:02:11 by noreply.

Messages
msg23728 (view)	Author: ganesh	Date: 2024-02-18.13:13:10
Discovered with the test suite, and reproduced directly. Trying to connect to hub.darcs.net with darcs built against `tls-2.0.0`, we get ``` Error getting "https://hub.darcs.net/darcs/darcs-screened/_darcs/format": InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure)) And also: Error getting "https://hub.darcs.net/darcs/darcs-screened/_darcs/inventory": InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure)) ``` The immediate trigger is that between tls-1.9.0 to tls-2.0.0, the default setting for this was changed from "AllowEMS" to "RequireEMS". I've tried overriding this setting from darcs but ran into other problems with overriding any TLS settings. For now I'll probably constrain tls to <2.0.0. The best long-term fix would probably be to update hub.darcs.net, or alternatively figure out how to override the TLS settings.
msg23817 (view)	Author: bfrk	Date: 2024-05-14.13:47:06
> or alternatively figure out how to override the TLS settings. I tried that (after receiving no reply on cafe). Looks impossible. The main problem lies with https://hackage.haskell.org/package/crypton-connection-0.3.1/docs/Network- Connection.html#t:TLSSettings which is either simple settings (basically using the defaults defined in tls package) or manually defined settings; but in the latter case it must contain all connection parameters like the host name etc, so it can't be used with the generic connection manager from client-http. The only viable solution I can see is to persuade the library authors of crypton- connection and http-client to provide an explicit way for users to override the defaults for generic (i.e. not host or service specific) TLS (client) parameters, specifically the `clientSupported` member of Network.TLS.ClientParams.
msg23818 (view)	Author: bfrk	Date: 2024-05-14.14:28:52
https://github.com/kazu-yamamoto/crypton-connection/issues/2
msg23819 (view)	Author: bfrk	Date: 2024-05-15.23:31:31
The author of crypton-connection indicated that a PR that adds the missing functionality would be accepted and a new release made. I have a made the necessary changes and successfully tested them with darcs. So it looks as if we can get this sorted out soon.
msg23899 (view)	Author: noreply	Date: 2024-05-24.15:02:09
The following patch sent by Ben Franksen <ben.franksen@online.de> updated issue issue2715 with status=resolved;resolvedin=2.18.1 Hash: 2797a991d7c708fc055960ce07ac98d250a941e8 Author: Ben Franksen <ben.franksen@online.de> * resolve issue2715: hub.darcs.net does not support "Extended Main Secret" We use a new addition to crypton-connection in order to change the default setting back to old (tls < 2.0) default. For ghc < 8.8 crypton-connection is not available, so instead we constrain tls as before.

History
Date	User	Action	Args
2024-02-18 13:13:11	ganesh	create
2024-05-14 13:47:09	bfrk	set	messages: + msg23817
2024-05-14 14:28:53	bfrk	set	messages: + msg23818
2024-05-15 23:31:31	bfrk	set	messages: + msg23819
2024-05-24 15:02:11	noreply	set	status: needs-diagnosis/design -> resolved messages: + msg23899 resolvedin: 2.18.1