-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chocolatey CLI v2.x (running on Windows 7) is not able to communicate with Chocolatey Community Repository due to TLS issue #3250
Comments
@superbonaci I believe that the issue that you are seeing is the same as this one: Can you please read through that one, and if possible, use the suggestion to view the response/requests in Fiddler, and provide the feedback, so that we can dig into this further. For now, I am going to close this issue, and we can continue the discussion over there. |
Here's the first Fiddler's session log (there are 12 but they are exactly the same): Raw Headers (Read-only)
Response (Raw)
|
@superbonaci can you confirm what operating system you are using? You mention 6.1.7601.65536, but just to confirm, are you using Windows 7? Also, have you done any additional configuration regarding SSL/TLS versions on your operating system? |
Yes, that version is Windows 7, and I don't recall changing anything on my operating system. Older versions of chocolatey worked fine, maybe 2.0 or older. I could try restoring a previous backup of the chocolatey folder and see what happens. |
1st Response:
2nd Header:
2nd Response:
|
Finally downgraded to Chocolatey v1.2.1 and pinned it, so now I can upgrade all other programs:
If I try to upgrade then says it's pinned:
|
Chocolatey 1.4.0 works fine too. |
@superbonaci I have been doing some digging into this, and I believe that I can explain what is going on, as well as steps that can be completed to get things working. As mentioned in the release notes for Chocolatey CLI v2.0.0, we made some changes for:
You can find more details about this in the issue. In prior versions of Chocolatey CLI (i.e. 1.4.0 and earlier), we took ownership of the TLS version that was used to make HTTP requests. We did this because we wanted/needed to add support for TLS 1.2, something that earlier versions of .NET Framework didn't understand. With version 2.0.0 of Chocolatey, we switched to using .NET Framework 4.8, which meant the additional work that we were doing was no longer required. The decision was taken to default to using the TLS versions that are configured at the Operating System level. Since you are using Windows 7, the defaults to which TLS version to use, don't match up with the requirements that are needed to access the Chocolatey Community Repository, and that is why you are seeing the error that you are seeing. You can fix this by changing the default TLS versions used for the Operating System. The direct way to do this is by changing the necessary registry keys, but this can be complicated, so this is not the way that I would recommend making this change. Instead, I would recommend that you use a tool called IISCrypto. Since you are back to a working state, you should be able to install this using Once installed, open the application, and you should see the following: Go ahead and click the Switch to the Cipher Suites tab, and also click the Once again, you will be prompted to click the Once you reboot your machine, you should be able to run I have tested this on a Windows 7, Windows 2008, and Windows 2008 R2 machine, and Chocolatey started working on each of these operating systems, where it had been failing with the problem that you originally described. It would be great if you could take these steps for a spin, and let us know if they work for you. Thank you for bringing this to our attention! |
I have raised an issue to document this properly on the site, and I will likely create a video going through the complete process as well. |
@superbonaci as a side note, you can run:
Which would prevent the upgrade of the packages named in the option. Or, you can run:
This functionality is similar to the pin operation that you were performing above. |
@gep13 instead of installing Should I be able then to use the newer version of TLS without any additional configuration, or NF4.8 is not compatible with W7 32 bits? According to this MS site, W7 SP1 is compatible with NF up to 4.8, but not 4.8.1: |
I don't believe that will make any difference, but it also isn't something I have tried. My understanding is that what is required is an OS level change to alter the default TLS version. |
Also, the installation of Chocolatey CLI v2.x will have already installed .NET Framework 4.8, as this is a requirement. |
Confirming that running Did setup iiscrypto after upgrading the packages, can be done before as well. |
That is great news! Thank you for confirming! We will get the docs updated with this information. |
Checklist
What You Are Seeing?
Install chocolatey:
What is Expected?
Work.
How Did You Get This To Happen?
Install chocolatey and try to install any package.
System Details
Installed Packages
Output Log
Additional Context
No response
The text was updated successfully, but these errors were encountered: