"Fatal error: The TLS connection was non-properly terminated" after adding Marmalade repo

[itsjeyd]

When I do M-x list-packages RET after enabling the Marmalade repo, I get the following output in *Messages*:

Importing package-keyring.gpg...done
Contacting host: elpa.gnu.org:80 [2 times]
Contacting host: marmalade-repo.org:443
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated.

Running package-refresh-contents instead of list-packages produces the same result.

Steps to reproduce:

1. Start Emacs via emacs -Q.

2. Evaluate:

   (require 'package)
   (add-to-list 'package-archives
               '("marmalade" . "https://marmalade-repo.org/packages/") t)

3. M-x list-packages RET
4. C-h e to see full output in *Messages* buffer.

---

Specs:

• GNU Emacs 24.4.1 (x86_64-unknown-linux-gnu, GTK+ Version 3.14.3)
• gnutls 3.3.9-1

[nicferrier]

Yeah. I've had this from one other user so far. This was the packaged emacs, right?

I think it works. I'm not sure where the message is coming from. I am investigating.

[nicferrier]

This is causing package uploads and downloads to fail.

[bremner]

I have the same symptoms with gnutls 3.3.8-3 on Debian testing.

[nicferrier]

And here's another report from a user trying to upload: http://hastebin.com/raw/weqazocuyi

[groks]

Same problem:

emacs-24.4-2.fc21.x86_64
gnutls-3.3.10-1.fc21.x86_64
(fedora 21 beta)

Running:

gnutls-cli-debug -V -d 100 marmalade-repo.org

...shows no actual errors, bot both this and https://www.ssllabs.com/ssltest/analyze.html?d=marmalade-repo.org indicate that session caching is disabled, which seems like an odd configuration.

[arnested]

Seeing the same problem here:

• GNU Emacs 24.4.1 (x86_64-apple-darwin14.0.0, Carbon Version 157 AppKit 1343.16) (Yamamoto Mitsuharus Mac port)
• gnutls 3.3.10

[cristobalito]

Same problem on Windows using installation instructions as per marmalade-repo.org homepage. Downloaded gnutls-3.3.11-w32.zip from gnutls.org. Using chocolatey install of emacs (GNU Emacs 24.4.1 (i686-pc-mingw32) of 2014-10-24 on LEG570)

Thankfully, this doesn't seem to stop package-list-packages or installing from marmalade.

[nicferrier]

Hum.

We've been able to get Debian to work. I've never seen the problem on a Mac, that's new to me. Windows should work if you set the TLS stack up as per the details.

So there's lots of variation here.

Just to confirm, has everyone tried using just HTTP for the archives?

[bremner]

Nic Ferrier notifications@github.com writes:

Hum.

We've been able to get Debian to work. I've never seen the problem on a Mac, that's new to me. Windows should work if you set the TLS stack up as per the details.

So there's lots of variation here.

Just to confirm, has everyone tried using just HTTP for the archives?

HTTP access (forwarded to https?) to marmalade seems to for me from Debian, although I still get the message

gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated.

[nicferrier]

Yeah, I don't know why that error happens. When you change the source to HTTP you're avoiding the most egregious Emacs bug. Everything except the initial request is done with tls. I don't know why the error message happens. I still haven't had time to trace the problem.

FWIW I'm convinced it's with the rewrite of the package code which was unnecessary as it was flawed.

[paweldrozanski]

Hello, I can report that the problem occurs using both HTTP and HTTPS protocols in debian testing. I've been using Ubuntu 14.10 recently with emacs and the problem didn't occured. Ubuntu has package with version: 3.2.16-1ubuntu2.1. Maybe installing that version of gnutls-bin can help? But it can be wrong idea acording to that gnutls is a security package.

[nicferrier]

It's very odd. I am still trying to narrow it down. I just don't have much time in which to do it.

[nicferrier]

It's very frustrating. I've made http://marmalade.ferrier.me.uk for those of you experiencing this problem

This obviously compromises the https but I can't see another way right now.

[Profpatsch]

Same problem, but packages seem to update.

[Knusper]

I experience the same bug - Emacs 24.4.1 on opensuse 12.3.

(Adding to the confusion - I get this error - but installation and updating of packages works)

[dschrempf]

I also experience this bug - Emacs 24.4.1 on Arch Linux.

[pw4ever]

Ditto: fully updated ("pacman -Syu") Arch LInux, GNU Emacs 24.4.1

Linux xxxx 3.18.2-2-ARCH #1 SMP PREEMPT Fri Jan 9 07:37:51 CET 2015 x86_64 GNU/Linux

[AndreaCrotti]

Yeah also have the same problem, Emacs 24.4.1 on Archlinux and 3.18 kernel

[voobscout]

Occurs both with http and https... gnutls 3.3.12 Arch Linux kernel version 3.18.6-1-ARCH GNU Emacs 24.4.1 (x86_64-unknown-linux-gnu, GTK+ Version 3.14.7) of 2015-01-17 on bisson

[gavenkoa]

Have same error on Debian Sid. After some time Emacs crashed.

Updating libgnutls packages fix error:

$ tail /var/log/apt/history.log
Start-Date: 2015-02-19  19:00:54
Upgrade: libgnutls-deb0-28:i386 (3.3.8-3, 3.3.8-5), libgnutls26:i386 (2.12.20-1, 2.12.23-18), libgnutls-openssl27:i386 (2.12.20-1, 3.3.8-5)
End-Date: 2015-02-19  19:01:00

[kzar]

I'm also getting this error trying to refresh the package list. Running Emacs 24.4.1 on Ubuntu 14.04 with 3.13.0-45-generic kernel.

[tom10d]

I also get this error with GNU Emacs 24.4.1 (i686-pc-mingw32) I get NO errors with GNU Emacs 24.3.1 (i386-mingw-nt6.1.7601) Same gnutls was used in both instances: gnutls-3.3.12-w32

I also get NO errors with: http://sourceforge.net/projects/emacsbinw64/ (it comes with its own gnutls)

[nicferrier]

Anyone who wants the secret "no ssl" version of marmalade please mail me privately. Clearly this is not an issue that is going to be fixed quickly.

More diagnostic information that is interesting: marmalade is hosted in a docker with emacs 24.3.1. Maybe for some people that makes a difference. I talk to it all the time with marmalade 24.4.1 though with libgnutls26 which is from package libgnutls26:amd63 - 2.12.23-12ubuntu2.1

So perhaps it's a problem with gnutls 3

[kzar]

OK it turned out I couldn't upgrade packages because for some reason the ~/.emacs.d/elpa and ~/.emacs.d/var directories were owned by root. I chowned to my user and now it works again. It turns out the TLS errors were not causing the problem after all! (They still show up.)

[deepfire]

Go amd63, go! Let's see how far down it can get, just 31 more to regress to 32 bits.. : -)

[alphapapa]

Just built and installed Emacs 24.4 on Ubuntu Trusty and am getting this error. Can't even do list-packages. Package management is completely non-functional because of this error. :(

Overriding package-menu--print-info with paradox--print-info
Overriding package-menu--generate with paradox--generate-menu
Overriding truncate-string-to-width with paradox--truncate-string-to-width
Overriding package-menu-mode with paradox-menu-mode
Contacting host: raw.github.com:443
Contacting https://api.github.com/user/starred?per_page=100
Importing package-keyring.gpg...done
Contacting host: elpa.gnu.org:80
Contacting host: marmalade-repo.org:80 [2 times]
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated.
Contacting host: melpa.milkbox.net:80
paradox--package-star-count: Wrong type argument: listp, ‹
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated. [2 times]

libgnutls26:
  Installed: 2.12.23-12ubuntu2.1

[nicferrier]

It sucks. I'm really sorry. It doesn't affect the http version though does it?

[e-monson]

Same error message here. Emacs 24.4 on Fedora 21. It doesn't seem to have an effect for me, though.

[alphapapa]

I'm sorry, I discovered that the problem I was having was not caused by these errors. These errors started happening when I upgraded to Emacs 24.4, but they don't seem to cause any actual problems, they just show the error message in the minibuffer.

[tshemeng]

Same here Emacs 24.5.1 on Ubuntu 15.10 I build emacs from source

[alip]

Same here. I don't use Emacs.

[papachan]

Same error here with archlinux and emacs 24.5.1.

i just replace marmelade default package url ( https://marmalade-repo.org/packages/ ) by the http version http://marmalade.ferrier.me.uk and it work fine.

[ghost]

Same error here, Ubuntu 15.04. Works fine on Debian Jessie.

I've not been able to use the provided alternate url; package refresh simply fails with

Contacting host: marmalade.ferrier.me.ukarchive-contents:80
Failed to download `marmalade' archive.

In my .emacs I have:

(add-to-list 'package-archives '("marmalade" . "http://marmalade-repo.org/packages/"))

[nofxx]

Same... Archlinux/emacs 24.5

[bsed]

what can i do for vim's of this question

Downloading bin/fzf ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   603    0   603    0     0     77      0 --:--:--  0:00:07 --:--:--   183
  0     0    0     0    0     0      0      0 --:--:--  0:00:34 --:--:--     0curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

[AntJanus]

Archlinux 24.5.1, same thing. Alternate URL doesn't work either :(

Strangely enough, it works on my Windows 10 install!

[flowsta]

Same error on GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, GTK+ Version 3.18.5) of 2015-11-27 on trouble, modified by Debian

[TheColourOutOfSpace]

Firefox knows the CA for marmlade-repo.org, GnuTLS however does not. That is what caused the error on my system. You can check this by executing gnutls-cli marmalade-repo.org in the shell. See if it outputs the line

- Status: The certificate is NOT trusted. The certificate issuer is unknown.

If so, you can use GnuTLS in --tofu mode (trust on first use). Run gnutls-cli --tofu marmalade-repo.org to store the server key in _.gnutls/knownhosts. Add

(if (fboundp 'gnutls-available-p)
    (fmakunbound 'gnutls-available-p))
(setq tls-program '("gnutls-cli --tofu -p %p %h")
      imap-ssl-program '("gnutls-cli --tofu -p %p %s")
      smtpmail-stream-type 'starttls
      starttls-extra-arguments '("--tofu")
      )­

to your .emacs (found this here Certificate Pinning for GNU Emacs).

Now you can use Marmalade.

[groks]

This looks like a new and different error. The certificate itself is fine but there's only one - there should be a bundle including any intermediate certificates to chain back to one that will be in a browser's trust store:

https://www.ssllabs.com/ssltest/analyze.html?d=marmalade-repo.org

How to decide which certificates to include in the bundle:

https://blog.cloudflare.com/introducing-cfssl/

[hjfreyer]

Also affected on Arch. If this is a server-side config error, should a new bug get opened? Do the marmalade-repo.org admins monitor this repo?

[AidanDelaney]

I can confirm that @TheColourOutOfSpace's suggested solution using gnutls-cli --tofu marmalade-repo.org works for me to resolve this issue.

[amelio-vazquez-reina]

I am having this same problem when trying to connect from OS X, using gnutls 3.4.9 with GNU Emacs 24.5.1. The solution of running gnutls-cli --tofu marmalade-repo.org and then adding the .emacs snippet did not work for me.

[PI-Victor]

was this issue ever fixed? or is there any proposed workaround. for me none of the repos load, not just marmelade.

[amelio-vazquez-reina]

@PI-Victor The only solution I found was to install from HEAD:

brew install emacs --HEAD--with-cocoa --with-gnutls --with-librsvg --with-imagemagick

Once I did that everything worked well.

[sorpaas]

+1

[neildeshpande]

+1

Complete emacs newbie. I am using emacs 24.5 with the spacmacs config on OS X. I see this in the messages buffer:

Contacting host: melpa.org:443 gnutls.c: 0 fatal error: The TLS connection was non-properly terminated.

Not sure if it did any damage.

[shivshankardayal]

Same problem with repo Emacs 24.5.1 on Ubuntu 16.04 x86_64.

[toupeira]

@nicferrier check the SSL Labs link from the comment by @groks, the server is indeed missing an intermediate certificate (and running a vulnerable OpenSSL version). openssl s_client -connect marmalade-repo.org:443 fails as well so I don't think it's related to GnuTLS.

Feel free to contact me privately if you need any help, you might also want to switch to LetsEncrypt while you're at it :)

[guboi72]

Same with repo Emacs 24.5.1 with Ubuntu 16.04 x86_64

[ojab]

Anyone who has the issue can use https://ojab.ru/marmalade/ in the meantime, it just proxying requests to the https://marmalade-repo.org/packages, i. e.:

 location '/marmalade' {
   rewrite ^/marmalade/(.*) /packages/$1 break;
   proxy_pass https://marmalade-repo.org;
  }

but has proper ssl/tls config.