magento2: The repo.magento.com server's HTTPS/SSL are Not Compatible with OS X

@maksek While you have a situation here where you can easily point to technical issue that’s not yours, your assessment that it’s not related to Magento 2 is incorrect. With things setup as they are right now an unknown number (thousands? Tens of thousands?) of OS X can’t access Magento 2 via composer.

That’s horrible from a product point of view. For developers already working in the ecosystem this means making massive changes to how they work. For developers not working in the ecosystem it creates a horrible first impression that will keep an unknown percentage of them away.

If that’s an acceptable tradeoff for your team, then you can close this ticket. If you’re not comfortable with that, I’d recommend you product teams takes steps, lateral or otherwise, to fix it. Two suggestions are to provide a composer repository where these developers can access the source code, or by working with the upstream provider (http://php-osx.liip.ch/) themselves to get this fixed.

I’m working on a fix (for php-osx), looking good that this will be available soon

Hi @astorm

It looks like they use a pretty modern ciphersuite and protocols on repo.magento.com, which only allows TLS 1.2 and 1.1 connections: https://www.ssllabs.com/ssltest/analyze.html?d=repo.magento.com&s=52.203.74.110&latest

There is a possibility that the OpenSSL version your php installation is linked against, doesn’t support those protocols yet.

You could try running these commands to figure out if your OpenSSL is able to connect to Magento’s composer repo:

$ openssl s_client -connect repo.magento.com:443 -tls1_2 # this one should connect
$ openssl s_client -connect repo.magento.com:443 -tls1_1 # this one should connect
$ openssl s_client -connect repo.magento.com:443 -tls1   # this one shouldn't connect

If the two first two command don’t work on your system, then OpenSSL is most likely to blame.

After some researching, it looks like the built-in PHP version of OS X is linked against LibreSSL, instead of OpenSSL, which does support TLS 1.1 and 1.2. The OpenSSL version on OS X is really really old and doesn’t support TLS 1.1 or 1.2. So that might explain it.

If you are somehow able to link your PHP installation against the LibreSSL version of OS X, then you might get it to work. Or somehow get a more recent version of OpenSSL on your machine (without overwriting the systems default) and linking it against your PHP installation.

So I guess the issue is in the PHP packages from http://php-osx.liip.ch/, maybe open a support ticket over there?

I myself always use Macports to install PHP versions on my OS X machines: https://www.macports.org/ports.php?by=name&substr=php7 And those get linked against the very latest version of OpenSSL (which Macports also installs)

But if you never worked with Macports before, it might be a bit scary and it might take you a while to figure it out and setup everything properly.

I hope this helps.

@maksek so far I’ve seen two affected packages / setups where this issue applies. One is the php-osx liip package and the other one is MAMP. Both come with compiled php versions, they are compiled with the older OpenSSL 0.9.8x version. I’ve created a small overview with the php versions / affected setups:

Hopefully this helps 😃

Kind regards,

Jaimy

Thanks all, we have published a Technical Bulletin to address this issue.

http://devdocs.magento.com/guides/v2.1/release-notes/tech_bull_tls-repo.html

Seems that there is still issues when running Magento 2 in MAMP Pro.

I’ve tried downloading the latest version in Brew, but for some reason my machine is still telling me that I’ve got OpenSSL 0.9.8.

MAMP Pro 4 apparently fixes this issue, but there doesn’t seem to be a release date on this.

If anyone has a link to a guide for upgrading OpenSSL for MAMP then I would be very interested in reading it!

Thanks @24198 & @chregu.

@astorm You (and others) should be informed that we are discussing the implications raised in this thread. These discussions are internal at the moment, but expect both detail and action from us in the very near future. I am curious to know if the new Liip package solves the problems for you.

@simobenso to be honest I don’t know, at the time I created the overview, PHP 7.0.7 wasn’t available and I have not tried it ever since. So I could be that I might work, but if I were to make an educated guess, it probably won’t. Since it probably be compiled with the older version of openSSL, which is the real issue, on the other hand I might be completely wrong.

So to find the one true answer is only by trying, sorry I couldn’t help more on a short notice. Hopefully you’ll find the answer you’re looking for.

Kind Regards,

Jaimy

So there is still no solution for MAMP?

Finally found a solution:

• I’ve updates OpenSSL on my Mac by using brew (version 1.0.2h): brew install openssl
• Linked the new version to use it as systems default: brew link --force openssl
• Then I’ve downloaded AMPPS (http://www.ampps.com/)
• Switched to PHP Version 5.6 inside of AMPPS
• Added the following entry in my php.ini: openssl.cafile=/usr/local/etc/openssl/cert.pem
• Now I’m using this version to update my local composer magento repositories
• Still running everything in MAMP (not using the AMPPS servers)

To make it a bit easier I’ve added an alias to my .bash_profile:

alias phpamps="/Applications/AMPPS/php-5.6/bin/php"

Now I can use:

phpamps composer.phar update

Hope this helps

Hey Guys,

can you please check the following:

I removed

"repositories": [
        {
            "type": "composer",
            "url": "https://repo.magento.com/"
        }
    ],

from composer.json – it worked fine.

with these line in place I’ll get the crypto-error.

What exactly the difference is, you ask?! I don’t know – that’s some black magic composer voodoo for me 😄

Best, Rico

/cc: @benmarks + sherrierhode

@benmarks new Liip package works like a charm! Thank you @chregu for updating the package, it works flawlessly!