Elm init tls issue

The127 · May 16, 2025, 10:43pm

Elm built with current Haskell versions (e.g. via nixpkgs) seems to have a tls issue with the package list website:

I need the list of published packages before I can start initializing projects,
so I tried to fetch:

    https://package.elm-lang.org/all-packages

But my HTTP library is giving me the following error message:

    InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure))

Are you somewhere with a slow internet connection? Or no internet? Does the link
I am trying to fetch work in your browser? Maybe the site is down? Does your
internet connection have a firewall that blocks certain domains? It is usually
something like that!

It works fine with the binary release from github.
I believe it may be due to this setting, which defaults to “RequireEMS” nowadays: Network.TLS

novid · May 17, 2025, 8:16pm

Welcome to the Elm community! There are some possible causes and solutions:

Outdated TLS Version or Cipher Support
The server might require a newer TLS version than your system supports. Try updating your system’s OpenSSL or TLS library.
Server-Side Configuration Issues
If the registry (https://package.elm-lang.org/all-packages) is down or misconfigured, you might need to wait or check official channels for updates.
Network Issues (Firewall or Proxy)
If you’re behind a strict firewall or proxy, it might be blocking the secure connection. Try accessing the URL directly in a browser to see if it loads.
Slow or Unreliable Internet Connection
A weak connection might disrupt the handshake. Try using a different network.

jerith · May 22, 2025, 2:35am

I can confirm this.

Using this command, I was able to reproduce in the src/client/ directory of my Elm project at update nix dependencies with niv-update · jerith666/elbum@d347e31 · GitHub but not at its parent:

rm -rf ~/.elm/0.19.1/ elm-stuff/ &&
    nom-shell ../../shell.nix --pure --run \
    'elm make src/Main.elm --output elbum.js'

That means it was introduced between nixpkgs commits b024ced1aa and dda3dcd3fe. I can try to bisect further, but the ghc 9.6.6 → 9.8.4 and tls 1.8.0 → 2.1.1 updates in there are certainly my first guesses.

jerith · May 22, 2025, 2:40am

Yeah, the changelog for the Haskell tls library version 2.0.0 says:

Security: BREAKING CHANGE: TLS 1.2 servers require EMS(extended main secret) by default. supportedExtendedMasterSec is renamed to supportedExtendedMainSecret.

jerith · May 22, 2025, 2:49am

One more bit of diagnostic info before bedtime:

$ echo | openssl s_client package.elm-lang.org:443 |& grep -i extended
    Extended master secret: no

My guess is that the elm compiler code uses some higher-level library than tls to make its connection to package.elm-lang.org, and that higher-level library may well not expose these low-level TLS protocol details.

So there may not be an easy way to patch this in the compiler – assuming that’s even a desirable thing! After all, we don’t really want to build a version of the compiler that’s vulnerable to some sort of attack against its communication with the package server. (I am definitely not a TLS expert!)

Janiczek · May 22, 2025, 11:25am

Novid, I’m getting an AI rash

ember · May 28, 2025, 11:31pm

Just bumped into this after updating nix! It seems like this has been an issue for at least a year, even if it’s only starting to affect nix users now. What do folks see as the most likely path forward in resolving this? Are there admins for the elm package server who are active and reachable who might be willing to update? Or should this be tackled on the nixpkgs side of thing?

dta · May 29, 2025, 12:33am

@evancz would be the admin of the package site

I believe it would also be possible to pin an older version of ghc in nixpkgs, but it does seem like supporting the TLS extension on the server would be the better option.

turboMaCk · June 5, 2025, 11:58am

I think we will need to apply patch downstream in nixpkgs because this won’t be accepted upstream anytime soon. Which we could do. There is now even an issue you can subscribe to

github.com/NixOS/nixpkgs

elmPackages.elm: fails to connect to the elm package repository

opened 11:45AM - 05 Jun 25 UTC

Pacrilege

0.kind: bug

### Nixpkgs version - Stable (25.05) ### Describe the bug `elm install` and o…ther commands accessing https://package.elm-lang.org/all-packages to fetch elm packages fail with the error `InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure))`. This is likely because the haskell tls library on versions >= 2.0.0 requires Extended Main Secret but https://package.elm-lang.org/all-packages does not support it. A possible fix would be to pin an earlier version of the haskell tls library as a dependency for elm. ### Steps to reproduce 1. Install elmPackages.elm 2. run `elm init` in a directory you don't care about 3. run `elm install BrianHicks/elm-csv` (though any string matching .+/.+ should do as an argument) If that doesn't fail with the above error, I have misdiagnosed the issue and this bug report is moot ### Expected behaviour `elm install BrianHicks/elm-csv` adds BrianHicks/elm-csv to the elm.json file with the current version of the package ### Screenshots _No response_ ### Relevant log output ```console ~/projects/habitable-planets via 🌳 v0.19.1 via ❄️ impure (shell) ❯ elm install BrianHicks/elm-csv -- PROBLEM LOADING PACKAGE LIST ------------------------------------------------ I need the list of published packages to figure out how to install things, so I tried to fetch: https://package.elm-lang.org/all-packages But my HTTP library is giving me the following error message: InternalException (HandshakeFailed (Error_Protocol "peer does not support Extended Main Secret" HandshakeFailure)) Are you somewhere with a slow internet connection? Or no internet? Does the link I am trying to fetch work in your browser? Maybe the site is down? Does your internet connection have a firewall that blocks certain domains? It is usually something like that! ``` ### Additional context `ping package.elm-lang.org` goes through, as does `curl https://package.elm-lang.org/all-packages`, so it probably is not something like that. ### System metadata - system: `"x86_64-linux"` - host os: `Linux 6.12.30, NixOS, 25.05 (Warbler), 25.05.20250525.7c43f08` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.28.3` - channels(root): `"nixos-24.05"` - nixpkgs: `/nix/store/vj980b72z6zb0yg6v0a7nzc9rcww3jmn-source` ### Notify maintainers @domenkozar @turboMaCk --- **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.) ### I assert that this issue is relevant for Nixpkgs - [x] I assert that this is a bug and not a support request. - [x] I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+-label%3A%226.topic%3A+darwin%22+-label%3A%226.topic%3A+nixos%22). - [x] I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it. ### Is this issue important to you? Add a :+1: [reaction] to [issues you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

turboMaCk · June 6, 2025, 10:58am

Thanks for reporting this issue (also thanks to @Janiczek for bringing this to my attention).

This is the fix elmPackages.elm: Fix runtime TLS connection to package.elm-lang.org by turboMaCk · Pull Request #414495 · NixOS/nixpkgs · GitHub

ember · June 7, 2025, 12:55pm

Woo!! Thank you so much for fixing this!

turboMaCk · June 8, 2025, 9:21pm

My pleasure. I should have caught this sooner. But my ~/.elm cache masked it for me.

Topic		Replies	Views
Elm can't fetch the package list with a HTTPS error Learn	3	800	February 8, 2023
How To Solve Elm make HTTPS Certificate Problem Learn	5	2617	November 28, 2018
[resolved] Infrastructure: DNS problem with elm-lang.org Request Feedback	4	944	August 6, 2020
Cannot install any elm packages Learn	4	1812	February 20, 2019
Issue: package.elm-lang.org availability in Russia Request Feedback	5	1673	April 9, 2019

Elm init tls issue

Related topics