Package Verifier - Could not create secure channel failure

[gep13]

Hello,

The package CoolTerm failed automatic verification based on the following error:

"The request was aborted: Could not create SSL/TLS secure channel."

https://gist.github.com/choco-bot/9220df125541e90f4c9b91b42831cbfd#file-install-txt-L342

The browser doesn't show any warnings, and neither do cURL or wget. I've retried verification a few times, but to no avail.

Thanks!

Update

This seems to be starting to affect a number of packages...

• 4k-video-downloader - Exempted
• 4k-stogram - Exempted
• eduke32 - Exempted
• exiftool - Re-run through verifier as latest package version works correctly
• evga-flow-control - Exempted
• 4k-youtube-to-mp3 - Exempted
• w10privacy - Other issue needs to be addressed first before exemption
• openflexure-connect - Exempted
• CoolTerm - Exempted
• minio-server - Exempted

┆Issue is synchronized with this Gitlab issue by Unito

[AdmiringWorm]

I think you may add the eduke32 package to the list as well.

[TheCakeIsNaOH]

And evga-flow-control probably should be added.

[chtof]

For information, the comment I added for the review of evga-flow-control:

_This package fails during Get-WebHeaders -url 'https://cdn.evga.com/utilities/EVGA_Flow_Control_Setup_v2.0.9.zip' -ErrorAction 'Stop' After investigation, https://cdn.evga.com uses TLS1.3 and TLS1,3 seems it's not supported on Windows 2012. (...)_

To confirm but my thought is this issue concerns domains using TLS1.3.

I also checked eduke32 and it uses TLS1.3;

Now, my update script for lossless-audio-checker fails (au_GetLatest failed; The request was aborted: Could not create SSL/TLS secure channel.) and https://losslessaudiochecker.com/ uses TLS1.3

And I doubt possible to support TLS 1.3 on Windows 2012...

[chtof]

Well, not sure if related to TLS1.3 as 3 domains of the list don't use TLS1.3 (w10privacy/openflexure-connect/coolterm packages) Or can be related to cypher supported (as suggested by @TheCakeIsNaOH in the review of evga-flow-control package).

============================================================================== 4k-video-downloader|https://gist.github.com/choco-bot/f1a8787080a08f6822b82c413b307b48#file-install-txt-L363|https://dl.4kdownload.com/app/4kvideodownloader_4.14.0_x64.msi?source=chocolatey https://www.cdn77.com/tls-test?domain=dl.4kdownload.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== 4k-stogram|https://gist.github.com/choco-bot/4a4b0a187580d6ecbff3ee05fd0ff2a8#file-install-txt-L364|https://dl.4kdownload.com/app/4kstogram_3.3.0_x64.msi?source=chocolatey https://www.cdn77.com/tls-test?domain=dl.4kdownload.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== eduke32||https://dukeworld.com/eduke32/synthesis/20210206-9310-b7d4ae3a5/eduke32_win64_20210206-9310-b7d4ae3a5.7z https://www.cdn77.com/tls-test?domain=dukeworld.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256

============================================================================== exiftool|https://gist.github.com/choco-bot/c9f48504a00a21508ed8b1f074a40206#file-install-txt-L343|https://exiftool.org/exiftool-12.12.zip https://www.cdn77.com/tls-test?domain=exiftool.org TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== evga-flow-control|https://gist.github.com/choco-bot/8d82c5b362a1e4bfac35a57b92e875f7|https://cdn.evga.com/utilities/EVGA_Flow_Control_Setup_v2.0.9.zip https://www.cdn77.com/tls-test?domain=cdn.evga.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== 4k-youtube-to-mp3|https://gist.github.com/choco-bot/556c775b8a971440f19d3b28bbd624a3#file-install-txt-L363|https://dl.4kdownload.com/app/4kyoutubetomp3_3.14.1_x64.msi?source=chocolatey https://www.cdn77.com/tls-test?domain=dl.4kdownload.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ============================================================================== w10privacy|https://gist.github.com/choco-bot/f0b8e7cd329fdb2223d2b2d6e5df3ac0#file-install-txt-L342|https://sf91b3285d9193eec.jimcontent.com/download/version/1609175074/module/12302828636/name/W10Privacy.zip' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\w10privacy\3.7.0.3\w10privacyInstall.zip https://www.cdn77.com/tls-test?domain=sf91b3285d9193eec.jimcontent.com TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

============================================================================== openflexure-connect|https://gist.github.com/choco-bot/6f8a07c575856b7c2a7b2fc38bb300f2#file-install-txt-L326|https://build.openflexure.org/openflexure-ev/openflexure-connect-4.0.1-win.exe https://www.cdn77.com/tls-test?domain=build.openflexure.org TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

============================================================================== CoolTerm||https://freeware.the-meiers.org/CoolTermWin.zip https://www.cdn77.com/tls-test?domain=freeware.the-meiers.org TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

============================================================================== minio-server|https://gist.github.com/choco-bot/dea28bf005cd923c3e9bfaa476956081#file-install-txt-L346|https://dl.min.io/server/minio/release/windows-amd64/minio.exe https://www.cdn77.com/tls-test?domain=dl.min.io TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

Note: https://github.com/minio/minio/issues/5834 regarding why some ciphers have been removed by minio server in 2018.

[chtof]

And TLS2 ciphers supported by my Chocolatey test environment (Windows 2012):

Cipher Suites (26 suites)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Notes:

• Windows 2012 Server doesn't support tls-ecdhe-rsa-with-aes-256-gcm-sha384 or 256/128 Ciphers. (https://stackoverflow.com/questions/48731089/tls-ecdhe-rsa-with-aes-256-gcm-sha384-in-windows-server-2012-r2)
• https://social.technet.microsoft.com/Forums/en-US/4cdae557-4992-4a7c-ad68-06554bf1b213/how-do-i-add-new-cipher-suiteslisted-below-to-windows-2012-r2-and-windows-2008-r2?forum=winserverPN (Seems TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 are not supported by W2012).

[chtof]

And octave.install should be also added:

• Chocolatey package: https://chocolatey.org/packages/octave.install/6.2.0
• Logs: https://gist.github.com/choco-bot/99e61edd44de3d3133aa9669637d1eb2

Attempt to get headers for https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."

[flcdrg]

https://chocolatey.org/packages/kodi/19.0

[chtof]

https://chocolatey.org/packages/pspad/5.0.5

https://gist.github.com/choco-bot/080f2a935daded858c38fa1311527310:

2021-02-19 12:51:04,902 2076 [DEBUG] - Running Get-WebHeaders -url 'https://www.pspad.com/files/pspad/pspad505en.zip' -ErrorAction 'Stop' 
2021-02-19 12:51:04,902 2076 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:04,919 2076 [DEBUG] - Request Headers:
2021-02-19 12:51:04,934 2076 [DEBUG] -   'Accept':'*/*'
2021-02-19 12:51:04,934 2076 [DEBUG] -   'User-Agent':'chocolatey command line'
2021-02-19 12:51:06,308 2076 [INFO ] - Attempt to get headers for https://www.pspad.com/files/pspad/pspad505en.zip failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.pspad.com/files/pspad/pspad505en.zip'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

[virtualex-itv]

phraseexpress.install should be also added:

Chocolatey package: chocolatey.org/packages/phraseexpress.install/15.0.84.1 Log: gist.github.com/choco-bot/43f33a84932af4ee0a63386ccb5616db

2021-02-19 12:51:06,402 2284 [DEBUG] - Running Get-WebFile -url 'https://www.phraseexpress.com/PhraseExpressSetup.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\phraseexpress.install\15.0.84.1\PhraseExpress.InstallInstall.MSI' -options 'System.Collections.Hashtable' 
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting request timeout to  30000
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting read/write timeout to  2700000
2021-02-19 12:51:06,434 2284 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:08,746 2284 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.phraseexpress.com/PhraseExpressSetup.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331

no issues manually downloading the file via powershell and generating correct hash

Invoke-WebRequest -Uri https://www.phraseexpress.com/PhraseExpressSetup.msi -OutFile C:\PhraseExpressSetup.msi
Get-FileHash -Path C:\PhraseExpressSetup.msi -Algorithm SHA256
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          84F077781B018C4354BB1DD9D828F610C3528686C149768EF9CABAE6666B6174       C:\PhraseExpressSetup.msi

installs fine in chocolatey test environment:

[mkevenaar]

https://chocolatey.org/packages/bacula/11.0.1 https://gist.github.com/8ca3c8959594340c0f528e9a7b9792f2

2021-02-19 12:50:56,059 2276 [DEBUG] - Setting url to 'https://www.bacula.org/download/10592/' and bitPackage to 64
2021-02-19 12:50:56,105 2276 [DEBUG] - Running Get-WebFileName -url 'https://www.bacula.org/download/10592/' -defaultName 'baculaInstall.exe' 
2021-02-19 12:50:58,871 2276 [DEBUG] - Url request/response failed - file name will be 'baculaInstall.exe':  Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
2021-02-19 12:50:58,903 2276 [DEBUG] - Running Get-WebHeaders -url 'https://www.bacula.org/download/10592/' -ErrorAction 'Stop' 
2021-02-19 12:50:58,918 2276 [DEBUG] - Setting the UserAgent to 'chocolatey command line'

[ggarra13]

I am posting a similar issue for a zip file downloaded from sourceforge. My script uses Test-Url and it fails verification with the following message:

2021-02-19 12:51:10,965 1376 [DEBUG] - Setting url to 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' and bitPackage to 64 2021-02-19 12:51:11,152 1376 [DEBUG] - Running Get-WebFileName -url 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' -defaultName 'mrViewerInstall.zip' 2021-02-19 12:51:12,949 1376 [DEBUG] - Url request/response failed - file name will be 'mrViewerInstall.zip': Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." 2021-02-19 12:51:13,058 1376 [DEBUG] - Running Get-WebHeaders -url 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' -ErrorAction 'Stop' 2021-02-19 12:51:13,058 1376 [DEBUG] - Setting the UserAgent to 'chocolatey command line'

Running the script locally it installs just fine. Full log at: t https://gist.github.com/0b97c974600d6d39f161cacbe0bad92b

[TheCakeIsNaOH]

Another one anystream: https://chocolatey.org/packages/anystream/1.0.9.0 https://gist.github.com/choco-bot/09b0047ef557e8da56fbf343a056a46b

I've added an exemption.

[TheCakeIsNaOH]

Yet more: https://chocolatey.org/packages/openxcom/2021.02.27.1532 https://chocolatey.org/packages/victoria/5.36 https://chocolatey.org/packages/tapaal/3.7.1

[pauby]

Intunewinapputil - https://chocolatey.org/packages/intunewinapputil

[TheCakeIsNaOH]

bluebrick - https://chocolatey.org/packages/bluebrick/1.9.1

[ggarra13]

mrViewer 5.7.5 was approved with conditions, but v5.7.6 still remains unapproved.

El 9/3/21 a las 15:31, TheCakeIsNaOH escribió:

mrViewer - https://chocolatey.org/packages/mrviewer/5.7.6 https://chocolatey.org/packages/bluebrick/1.9.1

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/chocolatey/home/issues/11#issuecomment-794276866, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABOKUC6BK22BBCQNKDVA2KLTCZLQPANCNFSM4YCIXK3Q.

[TheCakeIsNaOH]

@ggarra13 Must have missed that version to approve, I've approved it now.

In the future, if that happens, just leave a review comment on the package page and a moderator will pick it up.

[mwrock]

also seeing this with https://chocolatey.org/packages/habitat/1.6.267

[TheCakeIsNaOH]

Here are more: https://chocolatey.org/packages/logstash/7.11.1 https://chocolatey.org/packages/httpmaster-professional/4.8.1 https://chocolatey.org/packages/httpmaster-express/4.8.1 https://chocolatey.org/packages/habitat/1.6.267 https://chocolatey.org/packages/uhe-hive/2.1.0 https://chocolatey.org/packages/uhe-bazille/1.1.1.20210310 https://chocolatey.org/packages/uhe-diva/1.4.4.20210310

[UXabre]

Hi, just chiming in, I have the exact same problem with logstash package

I think my issue is regarding the fact that the date of the server is always 19 february, and the certificate for the endpoint i tried to reach was only vallid from 21 february.

Is there a reason why the date is fixed to 19 february? Perhaps other could verify as well if this is the case in fact for their packages?

[douglaswth]

Looking at the logs for all the failures I saw with bluebrick seem to be showing the same thing (2021-02-19 even though it was already March) and it looks like the log entries pasted in this issue have similar timestamps as well!

[mkevenaar]

https://chocolatey.org/packages/elasticsearch/7.11.2

[numericalfreedom]

Dear moderators,

I suddenly have the same issue with my packages ggu-software and ggu-software-international, they are both trusted and up to version 006, everything went absolutely smooth.

Here the response from Chocolatey after pushing my package ggu-software (the pre-requisites are checked with 'curl' or 'wget' adjusting the checksum after download):

---

chocolatey-ops (reviewer) on 13 Mar 2021 17:36:33 +00:00:

ggu-software has failed automated testing. This is not the only check that is performed so check the package page to ensure a 'Ready' status. Please visit https://gist.github.com/63335e969fd1a69feead8297e20a4aa0 for details. The package status will be changed and will be waiting on your next actions.

Lines 347-357 in the log say:

2021-02-19 12:51:07,527 2112 [DEBUG] - Running Get-WebFile -url 'https://www.ggu-software.com/fileadmin/edelivery/COMPLETE_GGU_SOFTWARE_20_21_007.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\ggu-software\20.21.007\ggu-softwareInstall.MSI' -options 'System.Collections.Hashtable' 2021-02-19 12:51:07,527 2112 [DEBUG] - Setting request timeout to 30000 2021-02-19 12:51:07,542 2112 [DEBUG] - Setting read/write timeout to 2700000 2021-02-19 12:51:07,542 2112 [DEBUG] - Setting the UserAgent to 'chocolatey command line' 2021-02-19 12:51:09,886 2112 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.ggu-software.com/fileadmin/edelivery/COMPLETE_GGU_SOFTWARE_20_21_007.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331 at Get-ChocolateyWebFile, C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1: line 345 at Install-ChocolateyPackage, C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1: line 396 at , C:\ProgramData\chocolatey\lib\ggu-software\tools\chocolateyinstall.ps1: line 20 at , C:\ProgramData\chocolatey\helpers\chocolateyScriptRunner.ps1: line 49 at , : line 1

---

Please note the wrong DATE of the test server. I remember security exceptions to happen in the web, if the DATE setting on the client is erroneous (wrong BIOS setting for example).

Maybe, an NTP synchronisation of the virtual machine server would be a very simple persistent solution.

Best wishes.

[numericalfreedom]

phraseexpress.install should be also added:

Chocolatey package: chocolatey.org/packages/phraseexpress.install/15.0.84.1 Log: gist.github.com/choco-bot/43f33a84932af4ee0a63386ccb5616db

2021-02-19 12:51:06,402 2284 [DEBUG] - Running Get-WebFile -url 'https://www.phraseexpress.com/PhraseExpressSetup.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\phraseexpress.install\15.0.84.1\PhraseExpress.InstallInstall.MSI' -options 'System.Collections.Hashtable' 
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting request timeout to  30000
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting read/write timeout to  2700000
2021-02-19 12:51:06,434 2284 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:08,746 2284 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.phraseexpress.com/PhraseExpressSetup.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331

no issues manually downloading the file via powershell and generating correct hash

Invoke-WebRequest -Uri https://www.phraseexpress.com/PhraseExpressSetup.msi -OutFile C:\PhraseExpressSetup.msi
Get-FileHash -Path C:\PhraseExpressSetup.msi -Algorithm SHA256
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          84F077781B018C4354BB1DD9D828F610C3528686C149768EF9CABAE6666B6174       C:\PhraseExpressSetup.msi

installs fine in chocolatey test environment:

The wrond DATE of the test server appears also in Your logs.

[UXabre]

@numericalfreedom , this is because the not before date for the certificate used on https://www.ggu-software.com hasn't occured yet:

Also, usually, the VM takes over the time of the host, so I'm confused why it actually takes an older date as well...

[numericalfreedom]

This is a hot track, could explain the sudden series of difficulties with different packages with same sort of problem.

[chtof]

https://chocolatey.org/packages/sublimemerge/0.0.2049

https://gist.github.com/e5c649be53a713b65dc6d240ec8b8fd4:

2021-02-19 12:51:07,105 2112 [DEBUG] - Running Get-WebHeaders -url 'https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe' -ErrorAction 'Stop' 
2021-02-19 12:51:07,121 2112 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:07,121 2112 [DEBUG] - Request Headers:
2021-02-19 12:51:07,169 2112 [DEBUG] -   'Accept':'*/*'
2021-02-19 12:51:07,169 2112 [DEBUG] -   'User-Agent':'chocolatey command line'
2021-02-19 12:51:08,496 2112 [INFO ] - Attempt to get headers for https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."```

[numericalfreedom]

The date setting in the test server must be corrected and all package maintainers can try to repush the packages that have failed in the second triage phase.

[numericalfreedom]

The issue can be closed, correct packages work again fine, Best regards to all Administrators, Moderators and Maintainers in Chocolatey !!! NandorTamaskovics @numericalfreedom.com

[UXabre]

Is it actually fixed? Or is it simply a new image of the buildserver, with a fixed date and thus problems will arise from, for instance, tomorrow onward?

[pauby]

@numericalfreedom The underlying issue hasn't been resolved. As @UXabre said, a new instance of the sandbox was created. That's a short term fix for some of these issues, not all of them.

Longer term this is being worked on.

[numericalfreedom]

@pauby My packages work again correctly for the moment again and I hope, that the date error does not return. Establishing a secure connection remains a tricky topic, anyway.

[TheCakeIsNaOH]

Some are working now, but I found a package that is still not working, probably due to cipher suite incompatibility.

https://chocolatey.org/packages/electron-cash.install/4.2.4 https://chocolatey.org/packages/electron-cash/4.2.4

[Hakker]

My package gives the same error for package https://chocolatey.org/packages/potplayer/ https://gist.github.com/choco-bot/d71c6c5ec7c62522880bdacf100296e4 021-03-17 13:08:40,897 2148 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.hakkah.net/potplayer/PotPlayerSetup64-210318.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."

I need to use a mirror because the dev seems to use his download location with a daily build hence crc checks fail roughly every other day and yet his release cycle is probably once a month to once every other month. The weird thing is the log always show the same time when trying to verify it. I tried it today and the log still says 17th of march.

[adrianinsaval]

octave.install still can't be downloaded: ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send." The install of octave.install was NOT successful.

[gothicserpent]

I have the same issue as above:

Paste is here: https://pastebin.com/kEattzZ8

Error line for me is as above:

Attempt to get headers for https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe failed. The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection wa s closed: An unexpected error occurred on a send."

[overag3]

issue with octave.install package may be due to this line ? https://github.com/chtof/chocolatey-packages/blob/5778bd14894ef6d87195e948656c5bd2a49d7cdf/automatic/octave.install/tools/chocolateyinstall.ps1#L4

[pauby]

issue with octave.install package may be due to this line ?

On a related question, why is that line in there.

[overag3]

No idea, ask to maintainer @chtof

[pauby]

@overag3 That was a rhetorical question and not aimed at you 😄

[penguin359]

I have root caused the issue with octave.install and evga-flow-control. The chocolateyinstall.ps1 scripts for both packages were explicitly forcing TLS 1.1 in the installer and PowerShell/.NET was failing to connect to the mirrors as those sites were rejecting anything older than TLS 1.2. After removing those lines and rebuilding the packages, they installed without issue. I have a pull request with the appropriate fix here:

https://github.com/chtof/chocolatey-packages/pull/42

The issue is in the downstream package install script and not in Chocolately.

[pauby]

@penguin359 Thanks for taking the time to troubleshoot and fix this!

[penguin359]

Besides the two packages I fixed in @chtof 's repo, I am not seeing any other issues with other packages when I try to install them in my Windows 10 environment so I think that is a separate issue where the testing environment itself is using incompatible TLS versions or limited cipher support. I do not have any Windows Server 2012 R2 systems myself, but I did see that I might be able to use one through AppVeyor.

Several of the other sites I tested did fail when I used TLS 1.1, but all that I tested still supported TLS 1.2. I used this command to help test from an Ubuntu WSL environment:

openssl s_client -connect cdn.evga.com:443 -tls1_2

Changing the last argument to -tls1_1 caused a connection to be dropped immediately. I did see this update for Windows Server 2012:

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

[flcdrg]

Package https://community.chocolatey.org/packages/sourcemonitor/3.5.16 failing with "Could not create SSL/TLS secure channel" error.

Site seems to support TLS 1.2 and 1.3, though looking through earlier posts, it seems like the 1.2 ciphers aren't ones listed for 2012

[TheCakeIsNaOH]

https://community.chocolatey.org/packages/trillian/6.5.0.17

[TheCakeIsNaOH]

https://community.chocolatey.org/packages/qap/11.4

[flcdrg]

https://community.chocolatey.org/packages/termius/7.22.1

[flcdrg]

https://community.chocolatey.org/packages/SqlToolbelt/2022.01.10

[flcdrg]

https://community.chocolatey.org/packages/dell-system-update/1.9.3.0

[chtof]

https://community.chocolatey.org/packages/automouseclick/99.1.4.20220416 ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.murgee.com/auto-mouse-click/download/setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."