Vcpkg: Downloads from https://repo.msys2.org/ fail with "SSL connect error"

@Krzmbrzl have you tried again? I was able to successfully install brotli and icu without any SSL errors downloading the mingw or msys2 files. It is possible the servers were in some type maintenance at the time, even though you could connect with your browser. The servers seem to act sporadically on Saturdays/Sundays at any given time.
Attached logfile showing (18:00 GMT - 14:00 EDT):
icu-brotli-test-clean-install.log

@StarGate-One i just tried (installing icu) again but got the same error.

Note also that I was able to download the respective files via my browser so a server outage can't really be the origin of my problem, can it? :thinking:

If you are able to download the files with your browser, but not with vcpkg, and you have deleted and cloned vcpkg package again with the same results, it could be some other software on the computer preventing the download with vcpkg?
Are you behind a corporate network, maybe there is firewall configuration issue, maybe a antivirus issue, a proxy server configuration preventing access to the internet outside the local network?
Many of anti-virus software has blocked vcpkg from working properly and need configuration exemptions - I myself had to leave one antivirus and choose another once the former removed configuration access to the consumer versions and the commercial version were too expensive for just one or two pcs.
If you are just on your local ISP, maybe you could try shutting off or disabling the antivirus and/or firewall temporarily to see if vcpkg can download the files?
As a last result you can download the files using the URL provided in the vcpkg console window with your browser and put them in the [vcpkg-root]\downloads folder as a temporary work around.
I am just a volunteer to this open source project and just making suggestions based on what I have seen in the past and trying to help.

t could be some other software on the computer preventing the download with vcpkg?

I don't have any crazy firewall settings or other stuff that normally prevents downloads... What also speaks against this theory is that vcpkg was able to download from other sites just fine :thinking:

Are you behind a corporate network, maybe there is firewall configuration issue, maybe a antivirus issue, a proxy server configuration preventing access to the internet outside the local network?

I'll have to check but normally none of this should be an issue in my casce

As a last result you can download the files using the URL provided in the vcpkg console window with your browser and put them in the [vcpkg-root]\downloads folder as a temporary work around.

Good idea :+1:

I am just a volunteer to this open source project and just making suggestions based on what I have seen in the past and trying to help.

And I am very grateful that you do! :)

All we can do is what @StarGate-One said.

We don't support TLS <=1.1 on repo.msys2.org. Maybe that's the cause?

We don't support TLS <=1.1 on repo.msys2.org. Maybe that's the cause?

How would I check that?

I just tried with my firewall and my antivirus disabled but the result stayed the same.
I also tried disabling TLS .1.0 and 1.1 following the instructions at http://www.sunlync.com/kb/index.php?View=entry&EntryID=623 but still no change.

Furthermore I tried with this minimal example:

project(dummy)

cmake_minimum_required(VERSION 3.16)

file(DOWNLOAD "https://repo.msys2.org/msys/x86_64/msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz" msys2.xz STATUS download_status)
list(GET download_status 0 download_code)

if(NOT "${download_code}" STREQUAL 0)
    message(STATUS "Failed download: ${download_status}")
endif()

and the error is the same in this minimal example.
I also tried the same snippet on my Linux machine (KDE Neon) and there it works fine. Therefore I assume that there is some weird configuration on my Windows machine that prevents the download.

I also tried downloading from a different website that uses https and a Let's Encrypt certificate using cmake and there it worked without a problem. Apparently my Windows machine just doesn't like mysy2.org :eyes:

EDIT:
If I use the http mirror of msys2, then the download succeeds (as expected given that the problem is SSL related)

Okay interesting Detail: Trying to access https://repo.msys2.org using Internet Explorer fails as well (it can only access the http page)

@Krzmbrzl I can access that url on my machine.

I think I know what the problem is: https://repo.msys2.org is using TLS1.3 but my Windows doesn't seem to support TLS > 1.2. After some research I don't think that Windows 7 supports TLS 1.3 at all and I assume Firefox can access the webpage due to custom/internal TLS 1.3 support.

As a workaround I replaced all occurrences of https://repo.msys2.org with http://repo.msys2.org in the vcpkg directory. Now the download succeeds.
It's of course not an ideal solution as using HTTP instead of HTTPS is obviously less secure but for now it serves the purpose.

Thanks to everyone who took the time to look into my problem! :)

@JackBoosY do you think there's an easy way of detecting whether the connection failed due to an unsupported TLS version? If so it might be worth it to explicitly check for that and if this is the case vcpkg could provide an error message stating exactly what the problem is. That'd probably be clearer than "SSL connect error" :point_up:

@Krzmbrzl Yes, I think I can do that.

That'd be great, thank you! :)

I'm getting exactly the same error. Can't download the file via vcpkg, firefox nor wget. My appveyor CI build fails because of that.

@kpyrkosz See #13298 #13286.