Elm init tls issue

Elm built with current Haskell versions (e.g. via nixpkgs) seems to have a tls issue with the package list website:

I need the list of published packages before I can start initializing projects,
so I tried to fetch:

    https://package.elm-lang.org/all-packages

But my HTTP library is giving me the following error message:

    InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure))

Are you somewhere with a slow internet connection? Or no internet? Does the link
I am trying to fetch work in your browser? Maybe the site is down? Does your
internet connection have a firewall that blocks certain domains? It is usually
something like that!

It works fine with the binary release from github.
I believe it may be due to this setting, which defaults to “RequireEMS” nowadays: Network.TLS

2 Likes

Welcome to the Elm community! There are some possible causes and solutions:

  • Outdated TLS Version or Cipher Support
    The server might require a newer TLS version than your system supports. Try updating your system’s OpenSSL or TLS library.

  • Server-Side Configuration Issues
    If the registry (https://package.elm-lang.org/all-packages) is down or misconfigured, you might need to wait or check official channels for updates.

  • Network Issues (Firewall or Proxy)
    If you’re behind a strict firewall or proxy, it might be blocking the secure connection. Try accessing the URL directly in a browser to see if it loads.

  • Slow or Unreliable Internet Connection
    A weak connection might disrupt the handshake. Try using a different network.

I can confirm this.

Using this command, I was able to reproduce in the src/client/ directory of my Elm project at update nix dependencies with niv-update · jerith666/elbum@d347e31 · GitHub but not at its parent:

rm -rf ~/.elm/0.19.1/ elm-stuff/ &&
    nom-shell ../../shell.nix --pure --run \
    'elm make src/Main.elm --output elbum.js'

That means it was introduced between nixpkgs commits b024ced1aa and dda3dcd3fe. I can try to bisect further, but the ghc 9.6.6 → 9.8.4 and tls 1.8.0 → 2.1.1 updates in there are certainly my first guesses.

1 Like

Yeah, the changelog for the Haskell tls library version 2.0.0 says:

  • Security: BREAKING CHANGE: TLS 1.2 servers require EMS(extended main secret) by default. supportedExtendedMasterSec is renamed to supportedExtendedMainSecret.

One more bit of diagnostic info before bedtime:

$ echo | openssl s_client package.elm-lang.org:443 |& grep -i extended
    Extended master secret: no

My guess is that the elm compiler code uses some higher-level library than tls to make its connection to package.elm-lang.org, and that higher-level library may well not expose these low-level TLS protocol details.

So there may not be an easy way to patch this in the compiler – assuming that’s even a desirable thing! After all, we don’t really want to build a version of the compiler that’s vulnerable to some sort of attack against its communication with the package server. (I am definitely not a TLS expert!)

Novid, I’m getting an AI rash :sweat_smile:

8 Likes

Just bumped into this after updating nix! It seems like this has been an issue for at least a year, even if it’s only starting to affect nix users now. What do folks see as the most likely path forward in resolving this? Are there admins for the elm package server who are active and reachable who might be willing to update? Or should this be tackled on the nixpkgs side of thing?

@evancz would be the admin of the package site

I believe it would also be possible to pin an older version of ghc in nixpkgs, but it does seem like supporting the TLS extension on the server would be the better option.

1 Like

I think we will need to apply patch downstream in nixpkgs because this won’t be accepted upstream anytime soon. Which we could do. There is now even an issue you can subscribe to

1 Like

Thanks for reporting this issue (also thanks to @Janiczek for bringing this to my attention).

This is the fix elmPackages.elm: Fix runtime TLS connection to package.elm-lang.org by turboMaCk · Pull Request #414495 · NixOS/nixpkgs · GitHub

4 Likes

Woo!! :tada: Thank you so much for fixing this!

My pleasure. I should have caught this sooner. But my ~/.elm cache masked it for me.

Hello,

I have the same issue:

$ elm init
Hello! Elm projects always start with an elm.json file. I can create them!

Now you may be wondering, what will be in this file? How do I add Elm files to
my project? How do I see it in the browser? How will my code grow? Do I need
more directories? What about tests? Etc.

Check out <https://elm-lang.org/0.19.1/init> for all the answers!

Knowing all that, would you like me to create an elm.json file now? [Y/n]: y
-- PROBLEM LOADING PACKAGE LIST ------------------------------------------------

I need the list of published packages before I can start initializing projects,
so I tried to fetch:

    https://package.elm-lang.org/all-packages

But my HTTP library is giving me the following error message:

    InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure))

Are you somewhere with a slow internet connection? Or no internet? Does the link
I am trying to fetch work in your browser? Maybe the site is down? Does your
internet connection have a firewall that blocks certain domains? It is usually
something like that!

Internet is working, I tried both elm package from stable and unstable.

$ cat /etc/os-release 
ANSI_COLOR="0;38;2;126;186;228"
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
BUILD_ID="25.05.804113.6c64dabd3aa8"
CPE_NAME="cpe:/o:nixos:nixos:25.05"
DEFAULT_HOSTNAME=nixos
DOCUMENTATION_URL="https://nixos.org/learn.html"
HOME_URL="https://nixos.org/"
ID=nixos
ID_LIKE=""
IMAGE_ID=""
IMAGE_VERSION=""
LOGO="nix-snowflake"
NAME=NixOS
PRETTY_NAME="NixOS 25.05 (Warbler)"
SUPPORT_END="2025-12-31"
SUPPORT_URL="https://nixos.org/community.html"
VARIANT=""
VARIANT_ID=""
VENDOR_NAME=NixOS
VENDOR_URL="https://nixos.org/"
VERSION="25.05 (Warbler)"
VERSION_CODENAME=warbler
VERSION_ID="25.05"

To clarify what was discussed on github under the issue.

I understand you’re using classic nix setup with channels. And you follow unstable channel. So do I. Now this poses few questions:

  1. When will the fix be available in the nixos-unstable channel?
  2. How can I use fixed version of elm to unblock myself.

1. When will the fix be available in the nixos-unstable channel?

The process of releasing is a bit more involved than it might seem from outside for various reasons among which is that expectation is that channels should be backed by binary caches which are relatively large and take long time to build. I don’t know what exact process is at the moment and when next staging phase will go though to unstable channel. But I did search on duckduckgo:

2. How can I use fixed version to unblock myself

There are many ways. For instance you can just take code from the PR and define your own overlay - you can find a lot of information on internet on how to do that.

Or you can for instance add another version of nixpks independent of channel into your setup. using fetchFromGithub and use elm (and only elm) from this pkg set in your setup.

Or you can even just clone the current master of nixpkgs and use nix-env to install the package from the expressions in the master.

2 Likes

Hello
I think I’ll remove the package from my configuration and use a per-project configuration with nix-shell from which I can use packages directly from github.

I had started to do this for other languages, and I think it’s best to keep a minimum of packages installed via /etc/nixos/configuration.nix

Thanks a lot for your help

1 Like

You might also want to look in nix flakes which make this per project definition a bit simpler in some ways, though arguably more complicated in others. So it’s a trade-off.

Yes I know Flakes, I just need to take the time to learn about. Looks very interesting indeed.

That said I found having a light /etc/nixos/configuration.nix with essential packages (web browser, terminal emulator, window manager, etc…) and per project default.nix for additional package gave me a fairly easy-to-use solution. with direnv it’s almost transparent.
My main concern is not to overcomplicate my general configuration in order to facilitate updates and upgrades.

it is in the end a matter of preference and your own choice. What ever you do in defaul.nix, shell.nix or flake.nix specific to project is the same you can do globally for systemPackages. Obviously systemPackages are global, project specific things can be versioned together with project (source). Use what you want to use and don’t be afraid to experiment.

1 Like

Yes, in the end, I’m experimenting with so many languages and technologies that this solution seemed the best to me. Elm remained in the global configuration because it’s a language I often use, especially when I first started using Nixos. But it’s better to define this in each project.

@turboMaCk thank you very much, and everyone else involved here, can confirm its working for me now <3