MacOS: SSL Error during "Querying URLs" stage of installation

[Schillaci767]

I am a mac user, and after I select the path for the installation on the cross-platform installer, I am getting this as an error message:

07th Mod - Install failed due to error: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>

I'm not sure what it means. Let me know if there is anything I can do, thank you!

[drojf]

hi, which version of MacOS are you using?

[drojf]

If you could provide your install logs in the install_data\LOGS folder, that would be useful too.

[Schillaci767]

wow, that was a quick response, I am using Sierra version 10.12.6

[drojf]

Also if you're using some sort of proxy or VPN, that can sometimes interfere. You might be using a proxy unknowingly if you're at a business or school.

[Schillaci767]

I'm at home, and I don't often mess around with my network so I don't think it is a proxy or a VPN but Im not 100% sure. Here is a zip file with the install logs:

07th-mod-logs.zip

[drojf]

This won't fix the issue properly, but will at least let you install the game (assuming you downloaded the v0.0.44 installer - version is displayed at bottom of the screen of each page).

1. Download this zip: main.zip
2. Extract it, giving you two files: main.py and installData.json
3. Open the install_data folder in the installer, and replace the main.py and installData.json. with the above two files
4. Run the installer again.

Again, this is just a workaround - if you download another installer a month in the future doing this might not work.

(We made some changes to the umineko installer just today, it would be great if you could confirm the voices work properly after it installs, assuming it works)

[drojf]

For developers only

See this issue: https://github.com/kennethreitz/requests/issues/3340
And this issue: https://superuser.com/questions/1092508/sslv3-alert-handshake-failure-ssl-c590

You can verify which TLS/SSL our server supports here: https://www.cdn77.com/tls-test (and type in 07th-mod). Our server doesn't support SSL, only TLS (which is normally a good thing, see https://disablessl3.com/).

The reason the installer gets past the 'check connection with server' stage is because the server check uses a non-secure http:// connection, not https://. We could either add instructions on how to update their SSL version, or just use insecure links if the user enables it :S. Could also allow SSL on the 07th mod server

Another way around it would be to use aria2c (or some other 3rd party tool) to query the URLs on MacOS. I'm not sure how to do that.

@TellowKrinkle

[Schillaci767]

When I look into the install_data folder in the 0.0.44 installer I see a main.py file that I can replace but I don't see a installdata.json file to replace. Let me know if I should be seeing one or if there is some other file I may have to replace. Thank you so much for all the help, andI will be sure to let you know how the voices are working!

[drojf]

sorry, you are correct. Just put the installData.json in there - it shouldn't replace anything -_-

[Schillaci767]

Alright! I got it downloaded by following your instructions, and everything looks great ADV mode was exactly what I was looking for, and the voices sound clear and beautiful!!! Thanks again!!

[drojf]

No problem! Please leave this issue open as we haven't actually resolved the issue yet (for the developers). You can press 'ignore notifications on the right' if you don't want further messages on this post

[TellowKrinkle]

We shouldn't need to enable SSLv3

Here is GitHub's SSL support (which they are able to use)
And here is ours (which has a handshake failure for OpenSSL 0.9.8)

It looks like we just need to support one of the cipher suites listed here, GitHub ends up using TLS_RSA_WITH_AES_128_CBC_SHA

[drojf]

I had a quick look into it and...I have no idea what I'm doing.

Also, in the 'ours' link, it states Cloudflare rather than our website. I'm not sure if I don't understand it correctly, but if it is Cloudflare serving the files (edit: or doing the authentication) then I don't know if we can change what ciphers it supports. Here is cloudflare's page about what ciphers it supports: https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support

If it's our server we should be able to do something about it ... but I don't know how to do it.

@ItaloKnox is this something you know how to do or are familiar with?

---

Currently the only 'important' urlopen calls are used to get the true filename of each URL (so we know what order to extract the files, whose names may be different to the URLs, at the extraction stage). If we can get around that then we don't need to use urlopen at all. The initial download of the installData.json can be done using aria2c as well.

edit: another way around that would be to re-check the directory after each file is downloaded, and see which files appeared.

cURL has a flag which lets you specifically download just the headers, which we could use (if we distribute our own, self-contained cURL binary).

Again, this is just another alternative - fixing it the other way by just enabling the cipher is way easier.

[TellowKrinkle]

Actually since we just need this to get filenames I don't see any reason we need HTTPS, we can just make it swap the URLs to HTTP on old openssl versions

[drojf]

I thought about that a little bit before - for some reason I thought it would be a problem because the redirect link could be malicious, but since we don't even use the redirect URL afterwards (we make aria2c re-query the URL from scratch) it's not a problem.

I'll try implementing it since it seems easy enough. I guess I'll do something like:

1. Modify the initial query on startup of the 07th-mod server to be HTTPS. If it passes, proceed as normal.
2. If the query fails, then try again using the HTTP url. If it passes, then activate 'old OpenSSL mode'. If it fails, assume no connection with the 07th mod server and show an error.
3. Use the previously set mode to determine how the URLs will be queried.

[TellowKrinkle]

I'm setting it up