search

appveyor / ci

AppVeyor community support repository
https://www.appveyor.com
344 stars 64 forks source link

Problem with TLSv1.2 / TLSv1.3 when using DownloadFile #3821

Closed greg-1-anderson closed 2 years ago

greg-1-anderson commented 2 years ago

Up until recently (a couple of weeks ago), our Appveyor tests were running without problem. Recently, they started failing during setup.

Command we're trying to run:

  - appveyor DownloadFile https://curl.se/ca/cacert.pem -FileName C:\cacert.pem

Error message we're getting:

Error downloading remote file: One or more errors occurred.
Inner Exception: The request was aborted: Could not create SSL/TLS secure channel.

I can curl https://curl.se/ca/cacert.pem locally without issue.

I checked the supported cipher suites supported by the server:

$ nmap --script ssl-enum-ciphers -p 443 curl.se
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-20 12:47 PDT
Nmap scan report for curl.se (151.101.65.91)
Host is up (0.0067s latency).
Other addresses for curl.se (not scanned): 2a04:4e42:200::347 2a04:4e42:400::347 2a04:4e42:c00::347 2a04:4e42::347 2a04:4e42:600::347 2a04:4e42:a00::347 2a04:4e42:800::347 2a04:4e42:e00::347 151.101.1.91 151.101.193.91 151.101.129.91

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds

According to #1889, though, Appveyor has supported TLS 1.2 for many years. TLS 1.3 is still the most recent version, so I can't imagine that the problem could be caused by Appveyor dropping support for older protocols.

As a workaround, we were able to successfully switch to using curl:

  - curl -fsS -o C:\cacert.pem https://curl.se/ca/cacert.pem

So, in short, writing up this report was the rubber duck I needed to fix the problem. Since my testing seems to have revealed a problem with Appveyor's DownloadFile, I am reporting it anyway, although I do not need it to be resolved for our builds.

Our Appveyor configuration is here:

https://github.com/drush-ops/drush/blob/11.x/appveyor.yml

n.b. At the time of this writing, that's the broken configuration using DownloadFile, although we will probably merge the PR that fixes it with curl shortly. The PR in question is: https://github.com/drush-ops/drush/pull/5148

FeodorFitsner commented 2 years ago

You are building on Visual Studio 2015 images which is based on Windows Server 2012 R2. It could be that 2012 R2 does not support some ciphers, so it's recommended to switch to Visual Studio 2019 or Visual Studio 2017 images which are based on Windows Server 2019 and Windows Server 2016 respectively.

greg-1-anderson commented 2 years ago

OK, thanks.