New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error when checking for update with next snapshot #4803
Comments
Comment 1 by PZajda on 2015-01-14 12:41 |
Comment 2 by briang1 on 2015-01-14 13:21 |
Comment 4 by msuch (in reply to comment 2) on 2015-01-14 13:35 Replying to briang1:
|
Comment 5 by briang1 (in reply to comment 4) on 2015-01-14 14:21
OK it has something to do with Windows 7's annoying security regime by the looks of it. On the windows 7 machine it will also fail as a portable version though, which I find a bit strange as none of nvda is then in a protected area. |
Comment 7 by nvdakor on 2015-01-14 18:15 |
Comment 8 by jteh on 2015-01-14 23:24 What happens if you go to https://www.nvaccess.org/ with your browsers? Do you get a security warning? |
Comment 9 by nvdakor on 2015-01-14 23:27 |
Comment 10 by nvdakor on 2015-01-15 01:20 |
Comment 11 by jteh on 2015-01-15 01:31 |
Comment 12 by tspivey on 2015-01-15 01:43
Provide the issuer chain on your end, and it should start working. |
Comment 13 by nvdakor on 2015-01-15 01:54 |
Comment 14 by nvdakor (in reply to comment 12) on 2015-01-15 02:00
I guess the following page confirms this: |
Comment 15 by jteh (in reply to comment 12) on 2015-01-15 02:56
Oddly, I didn't have this issue in Firefox. However:
Now done. Thanks. I wonder if this will fix the issue with updates, although I don't think so. |
Comment 16 by jteh on 2015-01-15 03:02 |
Comment 17 by jteh on 2015-01-15 03:33 |
Comment 18 by nvdakor on 2015-01-15 04:15 |
Comment 19 by briang1 on 2015-01-15 08:02 As I have said already, I've seen odd messages like this when being redirected from other download sites, but often a retry seems to work, but I never connected it to certificates before. |
Comment 20 by k_kolev1985 on 2015-01-15 09:25 |
Comment 21 by PZajda on 2015-01-15 09:47 Updating seems to work fine now for me too, I had an update today (next-11486,57a75e4) and everything worked fine. When I go to https://www.nvaccess.org/ I have no warning, I am only redirected to http://www.nvaccess.org I use Firefox 35.0 on Windows 7. |
Comment 22 by jteh on 2015-01-15 11:41 As noted in comment:17, I can now reproduce this and am trying to find a solution. |
Comment 23 by jteh on 2015-01-15 12:16 In addition, it looks like OpenSSL has a bug whereby validation will fail if the root certificate is included in the chain provided by the server. See this thread for details. This one is easy enough to fix and I've just done so on the server. |
Comment 24 by jteh on 2015-01-15 12:24 |
Comment 25 by msuch (in reply to comment 24) on 2015-01-15 16:29
|
Comment 26 by PZajda (in reply to comment 25) on 2015-01-15 16:51
The issue is back for me too, I cannot check for update, but I still can access the HTTPS link with Firefox or Internet Explorer. |
Comment 27 by nvdakor on 2015-01-15 19:33 |
Comment 28 by briang1 on 2015-01-15 19:56 |
Comment 29 by briang1 (in reply to comment 22) on 2015-01-15 20:07
So just to be clear, this has to be in IE, not in Firefox as its Firefox I have as default browser in the 7 machine. |
Comment 30 by jteh (in reply to comment 29) on 2015-01-15 22:31
Yes. Firefox uses its own certificate validation framework. IE uses the Windows framework, which is what Python uses for certificates (though Python doesn't trigger automatic download/installation of new certificates). |
Comment 31 by brandon15 on 2015-01-16 00:30 Is it confirmed that this is a python issue, and not with a snapshot itself? Also, I got an untrusted connection warning when trying to load the https page into Firefox. I didn't try it with Ie. Is this the problem? I used to be able to at least check for updates when we were using this https, I think, but at the time it said there were no updates available, so I don't know whether downloading would work. That was last night when I got it to work, but a few hours before that I had gotten this error. This is on a windows 8.1 machine 64 bit with 12 gb of RAM. |
Comment 32 by jteh (in reply to comment 31) on 2015-01-16 01:13
Well, it's a Python deficiency, but we're going to need to work around it or revert this change.
Apparently, i messed up yesterday when recreating the certificate. I've fixed this now. Also, it seems the second part of comment:23 doesn't affect us for some reason. On a system with all the correct certificates, it just works. |
Comment 33 by brandon15 on 2015-01-16 01:14 Interestingly, I tried it again now, and it worked, about 40 minutes after my posting of the last comment. I don't know if that has anything to do with it. |
Comment 34 by brandon15 (in reply to comment 32) on 2015-01-16 01:19
If we revert the change, then won't we run the risk of users getting infected copies of NVDA?
|
Comment 35 by jteh (in reply to comment 34) on 2015-01-16 03:18
Yes. However, this was always the case. Also, it's worth noting that man-in-the-middle (MITM) attacks aren't trivial to pull off. An attacker has to have control of at least one point between you and our server. It's important that we improve this, but if users stop being able to get updates at all, that isn't an acceptable fix. |
Comment 36 by James Teh <jamie@... on 2015-01-16 07:11
|
Comment 37 by James Teh <jamie@... on 2015-01-16 07:11
Changes:
|
… systems. Windows fetches trusted root certificates on demand, but Python doesn't trigger this. Therefore, when verification fails, try to trigger a root cert update ourselves and then retry the update check. Re #4803.
Reported by PZajda on 2015-01-14 12:39
Hi,
Since HTTPS has been implemented for updates in next snapshot, it is not possible to check for update anymore.
It seems there is an SSL error:
DEBUGWARNING - updateCheck.AutoUpdateChecker._bg (13:32:05):
Error checking for update
Traceback (most recent call last):
File "updateCheck.pyc", line 103, in _bg
File "updateCheck.pyc", line 70, in checkForUpdate
File "urllib.pyc", line 87, in urlopen
File "urllib.pyc", line 213, in open
File "urllib.pyc", line 443, in open_https
File "httplib.pyc", line 997, in endheaders
File "httplib.pyc", line 850, in _send_output
File "httplib.pyc", line 812, in send
File "httplib.pyc", line 1216, in connect
File "ssl.pyc", line 350, in wrap_socket
File "ssl.pyc", line 566, in init
File "ssl.pyc", line 788, in do_handshake
IOError: socket error CERTIFICATE_VERIFY_FAILED certificate verify failed (_ssl.c:581)
Snapshot version: next-11478,349a1b9
Regards.
Blocked by #4716
The text was updated successfully, but these errors were encountered: