TLS SNI problem on OS X

Ask for help and report issues with the Mac OS X version of Transmission
Crank
Posts: 11
Joined: Sun Mar 20, 2016 6:22 pm

Re: TLS SNI problem on OS X

Post by Crank » Tue Mar 22, 2016 9:30 pm

mike.dld wrote:As I presume you have libcurl installed via homebrew as well, you could try rebuilding it to use the new openssl (if you didn't do that yet) and make T use it, and see if that helps:

Code: Select all

$ brew reinstall curl --with-openssl
$ otool -L /usr/local/opt/curl/lib/libcurl.4.dylib
(confirm that it depends on /usr/local/opt/openssl/lib/... libraries)
$ env DYLD_LIBRARY_PATH=/usr/local/opt/curl/lib /Applications/Transmission.app/Contents/MacOS/Transmission
That works! Ok, now is the question, how I can fix this issue permanently without starting T in the terminal?
And what's the best way to fix this problem on other OS X systems (the way above)?

mike.dld
Transmission Developer
Posts: 275
Joined: Wed Dec 25, 2013 10:56 pm

Re: TLS SNI problem on OS X

Post by mike.dld » Wed Mar 23, 2016 7:22 am

As far as I could tell looking into libcurl source code, SChannel (Windows) and DarwinSSL (OS X) backends disable the use of TLS SNI extension unless `verifyhost` is enabled in SSL context; all other backends don't care and could perform SNI validation regardless (hence OpenSSL works). T in turn only enables this option if TR_CURL_SSL_VERIFY environment variable is set (which is not the default), probably because there're lots of self-signed and otherwise invalid certificates out there and validating them will give "Could not connect to tracker" errors (what a coincidence).

Since we now have Let's Encrypt and getting a valid certificate is free and not at all hard, switching the default is something to think about.

mike.dld
Transmission Developer
Posts: 275
Joined: Wed Dec 25, 2013 10:56 pm

Re: TLS SNI problem on OS X

Post by mike.dld » Wed Mar 23, 2016 7:27 am

So here's another test for you. Try running T with TR_CURL_SSL_VERIFY set and see if you get errors from other trackers and/or webseeds:

Code: Select all

$ env TR_CURL_SSL_VERIFY=1 /Applications/Transmission.app/Contents/MacOS/Transmission

Crank
Posts: 11
Joined: Sun Mar 20, 2016 6:22 pm

Re: TLS SNI problem on OS X

Post by Crank » Thu Mar 24, 2016 3:16 am

Yes, works with that command too without any tracker errors. Only a small warning in terminal appears:

Code: Select all

CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.

x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: TLS SNI problem on OS X

Post by x190 » Thu Mar 24, 2016 1:36 pm

Firefox has no problem with https sites that use cloudflare (e.g. blueberry), even on an older os x OS.
The stone age didn’t end because we ran out of stones.
---The Great Disruption - by Paul Gilding
https://paulgilding.com/
-------------------------------------------------

Crank
Posts: 11
Joined: Sun Mar 20, 2016 6:22 pm

Re: TLS SNI problem on OS X

Post by Crank » Thu Mar 24, 2016 1:44 pm

Maybe firefox use its own libs for openssl and curl?

x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: TLS SNI problem on OS X

Post by x190 » Thu Mar 24, 2016 7:41 pm

Don't know, but you could use "$ env TR_CURL_SSL_VERIFY=1 /Applications/Transmission.app/Contents/MacOS/Transmission" on an unpatched system and see what happens --- likely needs a minimum version of curl/openssl?

https://curl.haxx.se/mail/archive-2013-10/0036.html

EDIT: If you like the way "TR_CURL_SSL_VERIFY=1" works, you can change a line in libtransmission/web.c:(static void
tr_webThreadFunc (void * vsession))

Code: Select all

-web->curl_ssl_verify = tr_env_key_exists ("TR_CURL_SSL_VERIFY");
+web->curl_ssl_verify = true;
The stone age didn’t end because we ran out of stones.
---The Great Disruption - by Paul Gilding
https://paulgilding.com/
-------------------------------------------------

Crank
Posts: 11
Joined: Sun Mar 20, 2016 6:22 pm

Re: TLS SNI problem on OS X

Post by Crank » Fri Mar 25, 2016 4:00 pm

x190 wrote:Don't know, but you could use "$ env TR_CURL_SSL_VERIFY=1 /Applications/Transmission.app/Contents/MacOS/Transmission" on an unpatched system and see what happens --- likely needs a minimum version of curl/openssl?
I'm pretty sure that a minimum version of openssl and curl is required. Looks like the 7.43 version provided by OSX is a little bit buggy.
x190 wrote: EDIT: If you like the way "TR_CURL_SSL_VERIFY=1" works, you can change a line in libtransmission/web.c:(static void
tr_webThreadFunc (void * vsession))

Code: Select all

-web->curl_ssl_verify = tr_env_key_exists ("TR_CURL_SSL_VERIFY");
+web->curl_ssl_verify = true;
For this change I have to compile T by myself I think?

x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: TLS SNI problem on OS X

Post by x190 » Fri Mar 25, 2016 6:23 pm

The stone age didn’t end because we ran out of stones.
---The Great Disruption - by Paul Gilding
https://paulgilding.com/
-------------------------------------------------

metaclam
Posts: 97
Joined: Sat Jan 31, 2009 6:31 pm

Re: TLS SNI problem on OS X

Post by metaclam » Tue Feb 07, 2017 11:35 am

This was an issue on a tracker I use. I don't really understand what all this is about, but for the convenience of end users who need a way to launch Transmission in this mode, here's a simple AppleScript to launch transmission:

Code: Select all

property transmission_path : "/Applications/Transmission.app/Contents/MacOS/Transmission"
do shell script "env TR_CURL_SSL_VERIFY=1 " & quoted form of transmission_path & " > /dev/null 2>&1 &"
Here's a slightly more involved version of that same script, where you can set a custom path.

Telecart
Posts: 4
Joined: Thu Dec 31, 2009 4:00 pm

Re: TLS SNI problem on OS X

Post by Telecart » Fri Mar 08, 2019 3:29 am

Thanks! 2019 and this is still an issue out-of-the-box for MacOS version of T. Good thing there's a workaround though!

jubei
Posts: 1
Joined: Thu Dec 05, 2019 11:08 am

Re: TLS SNI problem on OS X

Post by jubei » Thu Dec 05, 2019 11:14 am

metaclam wrote:
Tue Feb 07, 2017 11:35 am
This was an issue on a tracker I use. I don't really understand what all this is about, but for the convenience of end users who need a way to launch Transmission in this mode, here's a simple AppleScript to launch transmission:

Code: Select all

property transmission_path : "/Applications/Transmission.app/Contents/MacOS/Transmission"
do shell script "env TR_CURL_SSL_VERIFY=1 " & quoted form of transmission_path & " > /dev/null 2>&1 &"
Here's a slightly more involved version of that same script, where you can set a custom path.
Sorry a bit of a noob layman here but I was searching for a solution to upgrade Transmission so it can deal with TLS 1.2. Does this solve it?

Post Reply