Issue 2715 hub.darcs.net does not support "Extended Main Secret"

Title hub.darcs.net does not support "Extended Main Secret"
Priority urgent Status resolved
Milestone Resolved in 2.18.1
Superseder Nosy List ganesh
Assigned To

Created on 2024-02-18.13:13:11 by ganesh, last changed 2024-05-24.15:02:11 by noreply.

msg23728 (view) Author: ganesh Date: 2024-02-18.13:13:10
Discovered with the test suite, and reproduced directly.

Trying to connect to hub.darcs.net with darcs built against
`tls-2.0.0`, we get

Error getting "https://hub.darcs.net/darcs/darcs-screened/_darcs/format": InternalException (HandshakeFailed (Error_Protocol 
"peer does not support Extended Main Secret" HandshakeFailure))
And also:
Error getting "https://hub.darcs.net/darcs/darcs-screened/_darcs/inventory": InternalException (HandshakeFailed 
(Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure))

The immediate trigger is that between tls-1.9.0 to tls-2.0.0,
the default setting for this was changed from "AllowEMS" to

I've tried overriding this setting from darcs but ran into
other problems with overriding any TLS settings.

For now I'll probably constrain tls to <2.0.0. The best
long-term fix would probably be to update hub.darcs.net,
or alternatively figure out how to override the TLS settings.
msg23817 (view) Author: bfrk Date: 2024-05-14.13:47:06
> or alternatively figure out how to override the TLS settings.

I tried that (after receiving no reply on cafe). Looks impossible.

The main problem lies with


which is either simple settings (basically using the defaults defined in tls 
package) or manually defined settings; but in the latter case it must contain all 
connection parameters like the host name etc, so it can't be used with the generic 
connection manager from client-http.

The only viable solution I can see is to persuade the library authors of crypton-
and http-client to provide an explicit way for users to override the defaults for 
generic (i.e. not host or service specific) TLS (client) parameters, specifically 
the `clientSupported` member of Network.TLS.ClientParams.
msg23818 (view) Author: bfrk Date: 2024-05-14.14:28:52
msg23819 (view) Author: bfrk Date: 2024-05-15.23:31:31
The author of crypton-connection indicated that a PR that adds the 
missing functionality would be accepted and a new release made. I have a 
made the necessary changes and successfully tested them with darcs. So it 
looks as if we can get this sorted out soon.
msg23899 (view) Author: noreply Date: 2024-05-24.15:02:09
The following patch sent by Ben Franksen <ben.franksen@online.de> updated issue issue2715 with

Hash: 2797a991d7c708fc055960ce07ac98d250a941e8
Author: Ben Franksen <ben.franksen@online.de>
* resolve issue2715: hub.darcs.net does not support "Extended Main Secret"

  We use a new addition to crypton-connection in order to change the default
  setting back to old (tls < 2.0) default. For ghc < 8.8 crypton-connection
  is not available, so instead we constrain tls as before.
Date User Action Args
2024-02-18 13:13:11ganeshcreate
2024-05-14 13:47:09bfrksetmessages: + msg23817
2024-05-14 14:28:53bfrksetmessages: + msg23818
2024-05-15 23:31:31bfrksetmessages: + msg23819
2024-05-24 15:02:11noreplysetstatus: needs-diagnosis/design -> resolved
messages: + msg23899
resolvedin: 2.18.1