Handshake Error – Connection Verify Failed

From @anubhaavofficial on February 7, 2018 4:19

URL: https://pub.dartlang.org/flutter

When using Flutter Doctor command, I am getting the error (Look at the screenshot.). When I changed the Environment variables to

PUB_HOSTED_URL=https://pub.flutter-io.cn
FLUTTER_STORAGE_BASE_URL=https://storage.flutter-io.cn

then the ‘pub’ command is working fine and I am able to install flutter correctly.

I am in India, from last 2-3 Weeks this issue persists, and I am not able to install pub packages from default server.

Error: When using default server settings.

flutterdoctor

Success: When Using China Mirror

flutternewdoctor

Copied from original issue: dart-lang/pub-dev#966

Author: Fantashit

5 thoughts on “Handshake Error – Connection Verify Failed

  1. Hello

    Where is the Dart’s/Flutter’s truststore file located in Windows?

    Is it possible to add the certificate to the flutter’s truststore like it is done for Java’s truststore (cacerts) using the keytool command or is there some other command?

    How to add a certificate PEM/CRT file to the trust store used by Flutter/Dart?

    Thanks.

  2. And just to add more information to this issue: If you are managing any NextGen firewall(Checkpoint, FortiGate, Palo Alto, Sophos…) at your company like me, you will face this issue if you have SSL Inspection enabled. That is also why this problem happens with some home antiviruses, cause they have this feature enabled.

    It comes down to the point where creating SSL Inspection exceptions to “pub.dartlang.org” and “pub.dev” (god, why so many redirects) will not be enough since, it will at the end try to use “storage.googleapis.com” as the download URL for dart packages, and i will not create an exception for such broad domain/URL.

  3. I used to get the same issue at work — I am behind a proxy that replaces some SSL certificates (but not all certificates) with its own self-signed certificates,

    This is my workaround that has worked so far.

    DISCLAIMER: USE AT YOUR OWN RISK
    If you don’t know how the following stuff works, then please ask the IT guys to help you with this.
    I don’t take responsibility if you break your stuff.

    • Open Control Panel > System > Advanced system settings > Advanced > Environment variables

    Create the SYSTEM environment variable JAVA_HOME with a value of
    C:\Program Files\Java\jre8
    Please make sure that this path matches the version of JAVA installed on your system.

    Add the following to the PATH environment variable

    %%FLUTTER_ROOT%%\bin
    %%FLUTTER_ROOT%%\.pub-cache\bin
    %%JAVA_HOME%%\bin
    
    • Get the intermediate and root certificates from your organization.

    This picture found in google shows the certificate window in Chrome
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/8026086487/original/GIGDSVjjfl2OfD-Zt389RTM-K55bvjJtsw.png?1509568821
    Our proxy is sometimes replacing the certificate with another certificate with different root and intermediate certificates.
    By default our browsers are already configured to trust these certificates but other applications (such as Android Studio, Flutter, Unity) think that there’s a network misconfiguration.

    The intermediate and root certificates for your organization could be exported from a keystore (for example Java or Firefox) where they have been already added by your IT team (for example your company’s default browser).
    Our company also has an intranet website where the files are available for download in PEM format as well.

    • Create the folder “Dev_Certificates” in “C:\ProgramData”

    • Copy the downloaded certificates to “C:\ProgramData\Dev_Certificates”

    • Copy the “cacerts” file from “C:\Program Files\Java\jre8\lib\security” to “C:\ProgramData\Dev_Certificates”

    • Open the Command Prompt as Administrator and add the certificates to “C:\ProgramData\Dev_Certificates\cacerts” using the following

    keytool -import -alias CA-ALIAS-NAME-1 -file "C:\ProgramData\Dev_Certificates\YOUR-CA-CERTIFICATE-1.crt" -keystore C:\ProgramData\Dev_Certificates\cacerts -storepass changeit
    keytool -import -alias CA-ALIAS-NAME-2 -file "C:\ProgramData\Dev_Certificates\YOUR-CA-CERTIFICATE-2.crt" -keystore C:\ProgramData\Dev_Certificates\cacerts -storepass changeit
    

    and so on …. this must be repeated for the various certificates to add to the keystore copy.

    Any errors reporting that the certificate already exists can be safely ignored at this point.

    • Create an empty text file called “export-PEM-from-cacerts.bat” in “C:\ProgramData\Dev_Certificates”
    @echo off
    > cacerts.pem (
    	for /f "tokens=1 delims=," %%%%G in ('keytool -list -keystore cacerts -storepass changeit ^| findstr "trustedCertEntry"') do (
    		keytool -exportcert -keystore cacerts -alias "%%%%G" -storepass changeit -rfc
    	)
    )
    
    • Run “export-PEM-from-cacerts.bat” and wait for it to finish.
      After a minute or so, it should generate a file called “cacerts.pem”.
      This file contains all the certificates in PEM format.
      In my case this file contains 99 certificates.

    • Open Control Panel > System > Advanced system settings > Advanced > Environment variables

    Create the following USER environment variable DART_VM_OPTIONS with a value of
    --root-certs-file=C:/ProgramData/_Dev_Certificates/cacerts.pem

    On top of this, I’ve also configured the USER environment variables HTTP_PROXY and HTTPS_PROXY with authentication and configured the gradle.properties used by Android Studio to use the modified keystore and the proxy http/https (not sure if this last one is required for flutter).

    Update: I just noticed that the certs-file must be encoded in UTF-8, otherwise it won’t work.

  4. @sliechti asked

    How can I enable dart to use the default root store in windows?

    With https://dart-review.googlesource.com/c/sdk/+/159202 dart vm always tries to Windows default root store, so no additional setup is needed.

    I tried with DART_VM_OPTIONS and it seems the argument is being ignored.

    dart binary itself doesn’t use DART_VM_OPTIONS environment variable – it only accepts options specified on the command line.
    DART_VM_OPTIONS is used and recognized by few command line shell scripts from dart-sdk/bin like gen_kernel, dart2js, dartanalyzer, dartdevc, pub. Those scripts essentially feed contents of this DART_VM_OPTIONS to dart binary via command line.

Comments are closed.