search

HaxeFoundation / haxelib

The Haxe library manager
https://lib.haxe.org/
MIT License
172 stars 78 forks source link

haxelib not accessible with Haxe 3.x #586

Closed sebthom closed 1 year ago

sebthom commented 1 year ago

All builds are continuously failing with errors like:

Downloading hxjava-3,2,0.zip...
Download complete : 0 bytes in 10s (0KB/s)
Http connection timeout. Try running haxelib -notimeout <command> to disable timeout
andyli commented 1 year ago

May I know your haxe and haxelib versions? Also, could you try running curl -vLI https://lib.haxe.org/p/hxjava/3.2.0/download/ in the CI job?

If your project is public, I can also take a look at that.

sebthom commented 1 year ago

This is one of the jobs https://github.com/vegardit/haxe-reusable-workflows/actions/runs/4167044721

It apparently only fails for Haxe 3.4.7.

I thought the other jobs are green because they already had all libs in github cache.

sebthom commented 1 year ago

This is the curl output

curl -vLI https://lib.haxe.org/p/hxjava/3.2.0/download/
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 46.101.64.224:443...
* Connected to lib.haxe.org (46.101.64.224) port 443 (#0)

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4023 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=lib.haxe.org
*  start date: Feb 12 20:39:46 2023 GMT
*  expire date: May 13 20:39:45 2023 GMT
*  subjectAltName: host "lib.haxe.org" matched cert's "lib.haxe.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55cd9eec7df0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> HEAD /p/hxjava/3.2.0/download/ HTTP/2
> Host: lib.haxe.org
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< HTTP/2 301 
< date: Mon, 13 Feb 2023 20:08:28 GMT
< content-type: text/html
< content-length: 0
< location: /files/3.0/hxjava-3,2,0.zip
< strict-transport-security: max-age=15724800; includeSubDomains
< x-cache-status: MISS
< 

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host lib.haxe.org left intact
* Issue another request to this URL: 'https://lib.haxe.org/files/3.0/hxjava-3,2,0.zip'
* Found bundle for host lib.haxe.org: 0x55cd9eebfd50 [can multiplex]
* Re-using existing connection! (#0) with host lib.haxe.org
* Connected to lib.haxe.org (46.101.64.224) port 443 (#0)
* Using Stream ID: 3 (easy handle 0x55cd9eec7df0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> HEAD /files/3.0/hxjava-3,2,0.zip HTTP/2
> Host: lib.haxe.org
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< HTTP/2 302 
< date: Mon, 13 Feb 2023 20:08:28 GMT
< content-type: text/html
< location: https://haxelib-files.haxe.org/files/3.0/hxjava-3,2,0.zip
< strict-transport-security: max-age=15724800; includeSubDomains
< 

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host lib.haxe.org left intact
* Issue another request to this URL: 'https://haxelib-files.haxe.org/files/3.0/hxjava-3,2,0.zip'
*   Trying 104.21.38.211:443...
* Connected to haxelib-files.haxe.org (104.21.38.211) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2306 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=haxelib-files.haxe.org
*  start date: Feb 13 00:00:00 2023 GMT
*  expire date: Feb 12 23:59:59 2024 GMT
*  subjectAltName: host "haxelib-files.haxe.org" matched cert's "haxelib-files.haxe.org"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> HEAD /files/3.0/hxjava-3,2,0.zip HTTP/1.1
> Host: haxelib-files.haxe.org
> User-Agent: curl/7.81.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
HTTP/2 301 
{ [5 bytes data]
date: Mon, 13 Feb 2023 20:08:28 GMT
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
content-type: text/html
{ [230 bytes data]
content-length: 0
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
location: /files/3.0/hxjava-3,2,0.zip
{ [230 bytes data]
strict-transport-security: max-age=15724800; includeSubDomains
x-cache-status: MISS
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 13 Feb 2023 20:08:29 GMT
< Content-Type: application/zip
< Content-Length: 4798202
< Connection: keep-alive
< ETag: "2764a3acbd6ef6a857226d6ba96b2196"
< Last-Modified: Mon, 13 Feb 2023 11:19:03 GMT
< Vary: Accept-Encoding
< Cache-Control: max-age=14400
< CF-Cache-Status: REVALIDATED
< Accept-Ranges: bytes
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6Ug4ehZFrlLCC1H30rX462lLYYN9zvKGku0q6gf6boLHB5I35qpV0jJm%2FyyzsX0E%2FFXDjos4AzXcAKv%2F3j8yMAYtxhCWyL2joWVb6W%2FAUUUlmWnUavuQylmWYVqsPHeemh0Mo8mKzr2R"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 7990323d6c837c62-LAX
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
< 

  0 4685k    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #1 to host haxelib-files.haxe.org left intact

HTTP/2 302 
date: Mon, 13 Feb 2023 20:08:28 GMT
content-type: text/html
location: https://haxelib-files.haxe.org/files/3.0/hxjava-3,2,0.zip
strict-transport-security: max-age=15724800; includeSubDomains

HTTP/1.1 200 OK
Date: Mon, 13 Feb 2023 20:08:29 GMT
Content-Type: application/zip
Content-Length: 4798202
Connection: keep-alive
ETag: "2764a3acbd6ef6a857226d6ba96b2196"
Last-Modified: Mon, 13 Feb 2023 11:19:03 GMT
Vary: Accept-Encoding
Cache-Control: max-age=14400
CF-Cache-Status: REVALIDATED
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6Ug4ehZFrlLCC1H30rX462lLYYN9zvKGku0q6gf6boLHB5I35qpV0jJm%2FyyzsX0E%2FFXDjos4AzXcAKv%2F3j8yMAYtxhCWyL2joWVb6W%2FAUUUlmWnUavuQylmWYVqsPHeemh0Mo8mKzr2R"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7990323d6c837c62-LAX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
sebthom commented 1 year ago

I just tried it locally with haxe 3.4.7 there it also fails. So I guess it has issues doing the TLS handshake?

andyli commented 1 year ago

Thanks for the info. Looking into it now. Will take some time.

sebthom commented 1 year ago

I tried to convince haxelib to disable HTTPS using the magic env variable HAXELIB_NO_SSL=1 but it does not have any effect.

andyli commented 1 year ago

Have just fixed it in 0d4a02561d17e2f2eec15da9b1225ece16901c49 and deployed to production. Please confirm the fix.

The problem:

Older versions of haxelib clients have no support of redirection and https. The haxelib server uses Apache to reverse proxy the file content to those older clients.

The file CDN we were using (Digital Ocean) was configured to allow http and https transfers. The haxelib server Apache was using http to talk to the CDN.

The new file CDN (Cloudflare R2) only uses https, but our Apache config didn't support that, thus the transmission failed.

sebthom commented 1 year ago

Works, thanks a lot!