Menu
▾
▴
#2548 SSL connect error
The version of the Update Wizard now in the repository is no longer able to connect to repositories and fails with the following message (the example is for 64 bits, but the 32 bits behaves the same):
INFO Update - starting: Update Wizard (MiKTeX 2.9.6100 64-bit) INFO FileCopyPage - INFO FileCopyPage - Error: SSL connect error
For the history of the problem prese refer to
http://tex.stackexchange.com/questions/339105/miktex-update-wizard-cannot-connect-after-installing-november-package-refactori
The installers have been repackaged today, but launching the wizard after installing either basic-miktex-2.9.6161-x64.exe or basic-miktex-2.9.6161.exe will fail with the above messages.
Trying to install either with setup-2.9.6100-x64.exe or setup-2.9.6100.exe will fail at the very beginning with SSL connect error as soon as the installer tries to download the mirrors list.
Thank you. Please give the following info:
Please try the following work-around:
1) start Internet Explorer 11
2) browse to this URL: https://api.miktex.org/Repository.asmx
3) step 2) must work (not SSL connect error)
4) close the browser
5) run the update wizard
Last edit: Christian Schenk 2016-11-15
os: Windows 7 pro 64 Bits (regularly updated)
def browser : Firefox 36.0.4
I can contact without problem your url both with IE and Firefox and i'm able to see the soap answers from any of the links in the first page.
I tried your procedure, step 2 works, but step 5 fails as above.
Sorry, I gave youthe old URL. This is the current URL:
https://api2.miktex.org/
If you can browse to this URL with IE without problems, then we must create a DebugView trace (I will post instructions).
Apart the usual complains about untrusted certificate, that i got also for the other site, i don't get any other error.
But i don't see anything equivalent to the other url. All that i see is a page titled "A SHORT STORY" "by A. U. Thor" :)
What should i be supposed to get?
You shouldn't get a warning about an untrusted certificate. See:
https://www.ssllabs.com/ssltest/analyze.html?d=api2.miktex.org&latest
If this may help you i traced the wizard connection with wireshark.
I looks that the client is rejecting the cerificate because after the server sends
Server Hello, Certificate, Server Key Exchange, Server Hello Done
the client replies with
Alert (Level: Warning, Description: Close Notify) (15 0303 0002 0100)
This seems to be a system dependent issue. Sorry that I can't help you.
Considering that i used the wizard for about 4 years without problems and that for sure i didn't change anithing in IE (i used it the last time about 2 years ago) can you tell me what you changed in the security handling?
Doesn't matter.
I figured out myself.
The Let's Encript CA is in the trusted store of Firefox but not in IE.
You should document this in the site, because many other with old Widows installations may fall in this problem.
Thank you for the info. So you don't have IE11, right? What is your IE version?
I do have IE 11, precisely 11.0.9600.17843.
I installed IE 11 on april 2015 because i needed it to access a site that refused to work with anything different from IE 11, but i never used it since, because it's a stupid browser, and for sure i never tampered its trust store, i try to keep myself as far as i can from anything concerning security.
The fact is that Let's Encript cert was not in the trust store and i had to download and install it manually, after that the wizard works.
By the way, do you want a proof that IE is stupid?
I uninstalled the certificate to devise a correct installation procedure to document in stack exchange and now IE refuses to display the https://letsencrypt.org/certificates/ page (i get an empty page) and if i try to install the certificate downloaded elsewere, OBVIOUSLY it says the installation is executed correctly, but OBVIOUSLY the certificate is no longer saved in the trust store.
I hope a reboot will cure the thing...
Well... i think i talked too fast, there are still some problems somewhere.
I installed basic-miktex-2.9.6161-x64.exe, then run the update wizard. It stays "connecting..." for a while, then a popup says there are no available updates.
But if a trace it i see that that the encription handshaking goes correctly to end (Change Cipher Spec). The server starts sending encripted application frames (2 frames) then the client sends a TLS encripted alert (64 bytes long) and truncates the session.
If i launch setup-2.9.6100-x64.exe, "connecting..." flashes for a moment in the dialog that then remain there forever.
Tracing i see that the encription handshaking goes correctly to end (Change Cipher Spec). The server starts sending encripted application frames (22 frames) then the client sends a TLS encripted alert (64 bytes long) and truncates the session.
Can you export and send me the certificate you have in your IE Trust Store?
i imported in IE the full certificate suite exported from Firefox, but the problem is still there.
Can you try to decrypt the above alerts to see what's going on?
I've seen already at least a couple of people having this problem, and i guess that once that people starts to update and install the new packges this problem could become a hassle.
i forgot to attache the certificate suite.
Is the "DST Root CA X3" certificate in the Trusted Root Certification Authorities certificate store?
Sure, otherwise i'd be still stuck with the previous
SSL connect errorMiKTeX uses curl and WinSSL (schannel) under the hood and you can create a curl trace which also includes SSL events. You will need a running DebugView (catches trace messages).
DebugView can be downloaded from here:
https://technet.microsoft.com/en-us/sysinternals/debugview.aspx
To create a trace:
1) start a DOS prompt
2) set the
MIKTEX_TRACEenvironment variable3) start DebugView
4) start the update wizard
For example:
I have attached a "normal" trace. In your case, we should see some error events.
I am having the exact same problem described above (SSL Error) any time I try to update or if it needs to auto-retrieve a package. This was after the latest update, everything was working before I did an update yesterday.
Mike, try to import into IE the certificates i attached above an see how you mileage is going.
Be sure they are imported into the "Trusted Root Certification Authorities" certificate store, or it won't work.
I imported the certificates and I still get the following:
2016-11-17 07:31:16,027-0500 INFO Update - starting: Update Wizard (MiKTeX 2.9.6100 64-bit)
2016-11-17 07:31:19,492-0500 INFO FileCopyPage -
2016-11-17 07:31:19,492-0500 INFO FileCopyPage - Error: SSL connect error
Here i'm shamelessly predating from Christian indications and from my experience.
IE is sometimes a bit prickly, so be sure to close all the windows of IE, then reopen it and check that your Trusted Store is showing what you see in the attached screenshot.
If you don't see it then try reimporting the certificates then close all the IE windows before trying again the wizard.
For me it worked and SSL error was gone.
If you see the certificates and after closing IE you still have the error, if Christian is not able to shed some light on this, may be the last chance is an exorcist...