elixir-websetup does not follow HTTP to HTTPS redirect for ELIXIR|ERLANG_CSV_URL and has limited TLS support

Question

elixir-websetup does not follow HTTP to HTTPS redirect for ELIXIR|ERLANG_CSV_URL and has limited TLS support

jwtb opened this issue 7 years ago · 8 comments

Trying to install current elixir with elixir-websetup.exe (per https://elixir-lang.org/install.html) on Win7 host.

Problems noticed:

installer fails with: Error: Downloading http://elixir-lang.org/elixir.csv failed. Setup cannot continue.

ElixirWeb.iss has URLs defined:

#define ELIXIR_CSV_URL 'http://elixir-lang.org/elixir.csv'
#define ERLANG_CSV_URL 'http://elixir-lang.org/erlang.csv'

it looks like the code:
if not idpDownloadFile('{#ELIXIR_CSV_URL}', GlobalElixirCSVFilePath) then ...
fails to follow HTTP redirect from http://elixir-lang.org/... to https://elixir-lang.org/...
No connection is seen to https site (verified with Wireshark)

with the help of local etc/hosts for fake elixir-lang.org and locally hosted *.csv files (just quick hack),
one can allow elixir-websetup.exe to get CSV files and make some progress.

Unfortunately it next fails to download elixir release from https://github.com/elixir-lang/elixir/releases/...
Wireshark shows failed TLS handshake; it looks like inno-download-plugin used by installer supports TLSv1.0 and SSLv3.0 only and github wants TLSv1.2 (https://www.thesslstore.com/blog/deprecation-tls-1-0-1-1-underway/)

Limited TLS versions support will affect https://elixir-lang.org connectivity when HTTP redirect is fixed (problem 1 above)

Warning: I have no experience with Inno Setup code and I don't know inno-download-plugin - it's just cursory analyses of failed installation.

Answer 1 · 2018-07-06T21:18:33.000Z

Thanks @jwtb! I have tried this on a Windows VM and the installer worked fine, so there are definitely external factors at play. If somebody could send a pull request, it would definitely be appreciated.

Answer 2 · 2018-07-06T21:38:33.000Z

@josevalim Windows 7 or 10? Also sometimes the VMs provided by Microsoft are weird and work properly compared to commercial versions of windows.

Answer 3 · 2018-07-06T21:42:41.000Z

Windows 10. If there is a Windows 7 VM I could try it on please let me know and I will gladly do it.

Answer 4 · 2018-07-07T03:16:16.000Z

@josevalim I can give you remote access to one? Teamviewer, rdp, or vnc choose your poison.

Answer 5 · 2018-07-07T08:25:29.000Z

@vans163 that would be nice although I am afraid that, after I reproduce it, there isn't much I can do to move forward. I can try though.

Did you try downloading a new version of the inno-download-plugin and rebuilding the installer to see if it fixes the issue? If it is a certificate issue, then it should be a matter of bundling the most recent SSL certificates and ciphers.

Answer 6 · 2018-07-12T16:28:34.000Z

Thanks to @josevalim, @vans163 discussion I decided to look at the issue again. It forced me to think a bit. I should perform the test with another Windows instance - was too lazy, my fault.

It took me some time to google/read inno-download-plugin code. Long story short:

The problem is related to Windows/IE settings, inno-download-plugin is using WinINet API (HttpOpenRequest/HttpSendRequest)
https://docs.microsoft.com/pl-pl/windows/desktop/WinInet/portal
regarding TLSv1.2 support (initial report - problem 2) - one can read
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
In my case it was 'poor' value of
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\SecureProtocols (was 0xA0, changed to 0xA80 to fix TLSv1.2 issue)
regarding HTTP -> HTTPS redirect (initial report - problem 1), it was settings of
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\WarnonZoneCrossing (was 0x1, changed to 0x0 to fix HTTP->HTTPS redirect issue)

The best part for regular users is that we may change Advanced settings in IE Internet Options, no messing in the registry:

enable TLSv1.2 usage
disable "warn if changing between secure and non secure mode"
(my native lang version suggests it applies to HTTPS->HTTP redirection only; as we see, it affects both directions)

After the changes elixir-websetup.exe works again. As happens the solution is easy once we know it.
I guess my 'bad' IE settings were related to Windows installation history/patches/etc. I'm not using IE.

I assume the issue may be closed, but it would be good to see fix reports from other affected users.

Answer 7 · 2018-07-12T18:13:33.000Z

Thank you so much @jwtb for the follow up! We will leave it open as it may help others!

Answer 8 · 2022-01-30T19:39:59.000Z

With Version 2.2 we now use the HTTPS URL directly, which should address the redirect issue. This is a new release in quite some time and since then, IDP has been dormant and more importantly Inno Setup now natively supports downloading files. The documentation claims it can traverse proxies. So at some point I'll update our implementation to use the now download support for a v3.0 release, ideally before the TLS 1.1 deprecation.