Why is ssl used to request stuff from hex.pm if ssl_verify is false in my global rebar.config? #2987
-
|
There is a lot of private data that I can't show here, but basically this is my situation: {erl_opts, [warnings_as_errors, {parse_transform, lager_transform}]}.
…
{deps, [
{recon, "2.5.6"},
{redbug, "2.1.0"},
…
]}.
…
{project_plugins, [
{rebar3_dirs, {git, "https://github.com/choptastic/rebar3_dirs.git", {ref, "0a11878"}}}
]}.Why is that plugin using github urls instead of hexpm packges (e.g. Well… That's because when I run ===> Fetching rebar3_dirs (from {git,"https://github.com/choptastic/rebar3_dirs.git", {ref,"0a11878"}})
=WARNING REPORT==== 21-Jan-2026::13:27:49.656225 ===
Description: "Failed to assert middlebox server message"
Reason: [{missing,{change_cipher_spec,1}}]
Location: tls_client_connection_1_3.erl:344
=NOTICE REPORT==== 21-Jan-2026::13:27:49.656437 ===
TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:740 generated CLIENT ALERT: Fatal - Unexpected Message
- {unexpected_msg,
{internal,
{server_hello,
{3,3},
<<…>>,
<<…>>,
<<19,1>>,
#{server_hello_selected_version => {server_hello_selected_version,{3,4}},
pre_shared_key => undefined,
key_share =>
{key_share_server_hello,
{key_share_entry,secp384r1, <<…>>}}}}}}
===> Failed to update package rebar3_hex from repo hexpm
===> Errors loading plugin rebar3_hex. Run rebar3 with DEBUG=1 set to see errors.
===> Analyzing applications...
===> Compiling rebar3_dirs
base_dir: /…my path…/_build/default
deps_dir: /…my path…/_build/default/lib
root_dir: /…my path…/.
checkouts_dir: /…my path…/_checkouts
checkouts_out_dir: /…my path…/_build/default/checkouts
plugins_dir: /…my path…/_build/default/plugins
lib_dirs: apps/*lib/*.
project_plugin_dirs: plugins/*
global_config_dir: /github/home/.config/rebar3
global_config: /github/home/.config/rebar3/rebar.config
template_dir: /github/home/.config/rebar3/templatesThe two important things to notice there are:
{ssl_verify, false}.I thought that setting For completeness sake, I'm not showing the rest of the ===> Evaluating config script "rebar.config.script"
===> Load global config file /github/home/.config/rebar3/rebar.config
===> Getting definition for package rebar3_hex from repo hexpm (#{name => <<"hexpm">>,repo_verify_origin => true,
repo_name => <<"hexpm">>,repo_url => <<"https://repo.hex.pm/">>,
repo_organization => undefined,api_url => <<"https://hex.pm/api">>,
repo_verify => true})
=WARNING REPORT==== 21-Jan-2026::13:27:51.376174 ===
Description: "Failed to assert middlebox server message"
Reason: [{missing,{change_cipher_spec,1}}]
Location: tls_client_connection_1_3.erl:344
=NOTICE REPORT==== 21-Jan-2026::13:27:51.376400 ===
TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:740 generated CLIENT ALERT: Fatal - Unexpected Message
- {unexpected_msg,
{internal,
{server_hello,
…SAME ERROR AS SHOWN ABOVE…
===> Hex get_package request failed: {error,
{failed_connect,
[{to_address,{"repo.hex.pm",443}},
{inet6,[inet6],nxdomain},
{inet,
[inet],
{tls_alert,
{unexpected_message,
"TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:740 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n {internal,\n {server_hello,\n {3,3},\n <<...>>,\n <<...>>,\n <<19,1>>,\n #{server_hello_selected_version =>\n {server_hello_selected_version,{3,4}},\n pre_shared_key => undefined,\n key_share =>\n {key_share_server_hello,\n {key_share_entry,secp384r1,<<4,91,66,...>>}}}}}}"}}}]}}
===> Failed to update package rebar3_hex from repo hexpm
===> throw {error,
{rebar_app_utils,{missing_package,<<"rebar3_hex">>,undefined}}} [{rebar_app_utils,
update_source,
3,
[{file, "/home/runner/work/rebar3/rebar3/apps/rebar/src/rebar_app_utils.erl"},
{line,
335}]},
{rebar_prv_install_deps,
'-handle_profile_level/7-lc$^0/1-0-',
3,
[{file, "/home/runner/work/rebar3/rebar3/apps/rebar/src/rebar_prv_install_deps.erl"},
{line,
178}]},
{rebar_prv_install_deps,
handle_profile_level,
7,
[{file, "/home/runner/work/rebar3/rebar3/apps/rebar/src/rebar_prv_install_deps.erl"},
{line,
179}]},
{rebar_plugins,
handle_plugin,
5,
[{file,
"/home/runner/work/rebar3/rebar3/apps/rebar/src/rebar_plugins.erl"},
{line,
121}]},
{rebar_plugins,
'-handle_plugins/4-fun-0-',
5,
[{file,
"/home/runner/work/rebar3/rebar3/apps/rebar/src/rebar_plugins.erl"},
{line,
102}]},
{lists,
foldl,
3,
[{file,
"lists.erl"},
{line,
2466}]},
{rebar_plugins,
handle_plugins,
4,
[{file,
"/home/runner/work/rebar3/rebar3/apps/rebar/src/rebar_plugins.erl"},
{line,
101}]},
{lists,
foldl,
3,
[{file,
"lists.erl"},
{line,
2466}]}]
===> Errors loading plugin rebar3_hex. Run rebar3 with DEBUG=1 set to see errors.
===> Setting paths to [deps]
===> Compile (apps)
===> Setting paths to [plugins]
===> Setting paths to [deps]
===> Setting paths to [plugins]
===> Setting paths to [plugins]
===> Expanded command sequence to be run: [app_discovery,install_deps,lock,compile,release]
===> Running provider: app_discovery
===> Evaluating config script "/…my path…/src/my_app.app.src.script"
===> Found top-level apps: [my_app]
using config: [{src_dirs,["src"]},{lib_dirs,["apps/*","lib/*","."]}]
===> Running provider: install_deps
===> Verifying dependencies...
===> Getting definition for package cowboy from repo hexpm
=WARNING REPORT==== 21-Jan-2026::13:27:51.436893 ===
Description: "Failed to assert middlebox server message"
Reason: [{missing,{change_cipher_spec,1}}]
Location: tls_client_connection_1_3.erl:344
=NOTICE REPORT==== 21-Jan-2026::13:27:51.437148 ===
TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:740 generated CLIENT ALERT: Fatal - Unexpected Message
- {unexpected_msg,
{internal,
{server_hello,
{3,3},
<<…>>,
<<…>>,
<<19,1>>,
#{server_hello_selected_version =>
{server_hello_selected_version,{3,4}},
pre_shared_key => undefined,
key_share =>
{key_share_server_hello,
{key_share_entry,secp384r1,
<<…>>}}}}}}
===> Hex get_package request failed: {error,
{failed_connect,
[{to_address,{"repo.hex.pm",443}},
{inet6,[inet6],nxdomain},
{inet,
[inet],
{tls_alert,
{unexpected_message,
"TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:740 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n {internal,\n {server_hello,\n {3,3},\n <<...>>,\n <<\"E�VFEBQ�L<E\"...>>,\n <<19,1>>,\n #{server_hello_selected_version =>\n {server_hello_selected_version,{3,4}},\n pre_shared_key => undefined,\n key_share =>\n {key_share_server_hello,\n {key_share_entry,secp384r1,<<4,116,52,...>>}}}}}}"}}}]}}
===> Failed to update package cowboy from repo hexpm
===> Package not found in any repo: cowboy 2.14.2It does seem like it is loading Am I missing something here? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 5 replies
-
|
One thing that I forgot to point out is that the server is running OTP28 with rebar3.26. |
Beta Was this translation helpful? Give feedback.
-
|
This is a maybe somewhat related issue: erlang/otp#7586 |
Beta Was this translation helpful? Give feedback.
-
|
ssl_verify would likely not remove SSL, but remove certificate validation checks, meaning you can connect to any remote without caring whether the certificate is self-signed, matches the domain, or is expired. As for the error itself, I haven't seen it before, but it does appear to be an issue with the state machine inside the TLS library, which lines up with the issue you have seen. I'm unclear where This failure comes from hex_core; our hex_core version was vendored to v0.10.0 (https://github.com/erlang/rebar3/blob/4277af3d2e792cad6000de520cef92a010dc5e19/vendor_hex_core.sh) and we should probably bump it up to a newer version. If you're able to try running that script and trying again (I don't have an easy way to reproduce here apparently), we could merge that rather quick. |
Beta Was this translation helpful? Give feedback.
-
|
Where should I run that script? Should I clone the rebar3 repo, run the script, recompile rebar3 and use that version on my server? |
Beta Was this translation helpful? Give feedback.
-
|
Yep, pretty much. |
Beta Was this translation helpful? Give feedback.
-
|
I can make a branch / PR if that makes it easier? |
Beta Was this translation helpful? Give feedback.
-
|
Don't worry. I can do that myself :) |
Beta Was this translation helpful? Give feedback.
-
|
I did the update: #2988 |
Beta Was this translation helpful? Give feedback.
-
|
#2989 should fix my problem. Would it be ok to merge that one, @ferd ? |
Beta Was this translation helpful? Give feedback.
#2989 should fix my problem. Would it be ok to merge that one, @ferd ?