Closed TuxSH closed 2 years ago
Themeplaza recently migrated servers (recently being overnight), part of which seems to have involved disabling TLSv1.1 (probably unintentionally) without any prior warning to us. Because Anemone uses the http sysmodule TLS versions newer than 1.1 are not supported. I've contacted the site owners and asked them to re-enable TLSv1.1, but in the long term we may want to consider switching to libcurl to support newer TLS versions.
TLSv1.1 is supported on ThemePlaza again so this should no longer be an issue. I'm going to leave this open however while I consider our options going forward with regards to libcurl.
b81a9aaa4c30e27ac2ffb8d1fcf5f037c91e7f15 fixes this; Theme Plaza no longer supports TLSv1.1 and now provides HTTP URIs for downloads and the Anemone API. This is not considered a security risk, as no identifying information is shared over the connection and we were vulnerable to MITM attacks already as we've never verified the SSL certificate anyway.
Build is latest commit (used on latest Luma commit w/o changes), tested on sysvers 11.14 and 9.6 (N3DSXL, O2DS).
When trying to download any theme from ThemePlaza (e.g. https://themeplaza.art/download/31776), httpc returns error
d8a0a03c
(invalid state). This is from theparse_header
call at line 956 inremote.c
.Here is the (slightly modified) debug log: