Unable to download new models due to SSL handshake failure

[davidlyness]

Test device: MacBook Pro (M3 Pro), Sonoma 14.3.1

I've verified that this behaviour occurs across multiple devices and networks.

Steps to reproduce

1. Download the macOS M1/M2 build from the Downloads page.
2. Extract the DMG and open the application.
3. Choose "Download models..." from the dropdown.

Expected result

Dropdown populates with available models.

Actual result

SSL handshake error as in screenshot below:

I can reach https://translatelocally.com/models.json in my web browser without issue. The TLS certificate presented to my browser appears trusted, although it was issued 12 days ago so I'm not sure whether the translateLocally app is performing certificate pinning and would need its configuration or trust store updated.

[jelmervdl]

The linked models are hosted on statmt.org which had an expired certificate (they recently moved webserver and probably something went wrong with setting up the play to renewal bit)

Should be fixed now.

[davidlyness]

Unfortunately I still see this happening.

[bjepson]

A quick workaround is to download https://translatelocally.com/models.json somewhere, and then fire up a local web server (for example, python3 -m http.server 9000) and use the app settings to import the repository as something like http://localhost:9000/models.json:

[IIIIIIIllllllllIIIII]

happening still

[XapaJIaMnu]

Sorry about that. Will try to hopefully trigger a successful rebuild tonight and push it.

[XapaJIaMnu]

@Gitterman69 @davidlyness @bjepson could you try the latest release: https://github.com/XapaJIaMnu/translateLocally/releases/tag/latest

[shaul-pollak]

@Gitterman69 @davidlyness @bjepson could you try the latest release: https://github.com/XapaJIaMnu/translateLocally/releases/tag/latest

still happening

[bjepson]

I am also getting the same error (on macOS with an M1 using the translateLocally.macos-13.x86-64.dmg build. Oddly, I didn't get this error when I tried it on Windows.

Thanks,

Brian

[mroberts1]

I am having the exact same problem. MacoOS 12.7.5 (Monterey). SSL error as above.

[XapaJIaMnu]

It seems there's something broken with the github CI machines that we use to build the mac build and it compiles with broken SSL ;/

[bobdschingis]

Don't know if the source of the problem is the same, but i got similar messages on WSL Ubuntu 22:

1. Downloaded translateLocally-v0.0.2+27771d8-Ubuntu-22.04.AVX.deb
2. dpkg -i translateLocally-v0.0.2+27771d8-Ubuntu-22.04.AVX.deb

dpkg: dependency problems prevent configuration of translatelocally:
 translatelocally depends on libarchive13 (>= 3.0.4); however:
  Package libarchive13 is not installed.
 translatelocally depends on libqt6core6 (>= 6.2.0); however:
  Package libqt6core6 is not installed.
 translatelocally depends on libqt6gui6 (>= 6.1.2); however:
  Package libqt6gui6 is not installed.
 translatelocally depends on libqt6network6 (>= 6.1.2); however:
  Package libqt6network6 is not installed.
 translatelocally depends on libqt6svg6 (>= 6.2.0); however:
  Package libqt6svg6 is not installed.
 translatelocally depends on libqt6widgets6 (>= 6.2.0); however:
  Package libqt6widgets6 is not installed.

3. apt update
4. apt --fix-broken install
5. dpkg -i translateLocally-v0.0.2+27771d8-Ubuntu-22.04.AVX.deb

(Reading database ... 38886 files and directories currently installed.)
Preparing to unpack translateLocally-v0.0.2+27771d8-Ubuntu-22.04.AVX.deb ...
Unpacking translatelocally (0.0.2) over (0.0.2) ...
Setting up translatelocally (0.0.2) ...

6. translateLocally -a

qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: QSslSocket::connectToHostEncrypted: TLS initialization failed

7. translateLocally -d de-en-base

translateLocally -d de-en-base
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: No TLS backend is available
qt.network.ssl: No functional TLS backend was found
qt.network.ssl: QSslSocket::connectToHostEncrypted: TLS initialization failed
Unable to find 'de-en-base' in the list of available models. Available models:

Hope the information help.

[XapaJIaMnu]

@bobdschingis do you have openssl installed?

[bobdschingis]

@bobdschingis do you have openssl installed?

Yes, it's version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

ca-certificates is:
ca-certificates is already the newest version (20230311ubuntu0.22.04.1)

I can also get the models.json with wget from https://translatelocally.com/models.json as normal or root user.
It's also possible to connect with openssl to translatelocally.com as normal or root user:

openssl s_client -connect translatelocally.com:https

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = kheafield.com
verify return:1
---
Certificate chain
 0 s:CN = kheafield.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  2 18:31:29 2024 GMT; NotAfter: Aug 31 18:31:28 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEwjCCA6qgAwIBAgISBNFv5JmuRS0ASedH9vAG98gmMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA2MDIxODMxMjlaFw0yNDA4MzExODMxMjhaMBgxFjAUBgNVBAMT
DWtoZWFmaWVsZC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASQ7IkCVJD6
bhiLEinKRTfMALbjHmTccJowxbHYVkm2vc+5Jj/j1C0BCU4KmfTLtTg3C0rlDZ8g
ya5nZJSBmYtAo4ICtTCCArEwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSsZc4uT9RJ
hV6SXtGu+sviFZfeSzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBV
BggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9y
ZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzCBvQYDVR0RBIG1
MIGygg1raGVhZmllbGQuY29tghVtdGEtc3RzLmtoZWFmaWVsZC5jb22CEW10YS1z
dHMubmV1cmFsLm10ggluZXVyYWwubXSCCnByaXZhdGUubXSCFHRyYW5zbGF0ZWxv
Y2FsbHkuY29tghF3d3cua2hlYWZpZWxkLmNvbYINd3d3Lm5ldXJhbC5tdIIOd3d3
LnByaXZhdGUubXSCGHd3dy50cmFuc2xhdGVsb2NhbGx5LmNvbTATBgNVHSAEDDAK
MAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AEiw42vapkc0D+Vq
AvqdMOscUgHLVt0sgdm7v6s52IRzAAABj9pvd40AAAQDAEcwRQIgXK/O+jOTpiR+
nV/rxfeFo5Pf5pd06Kf2LrpuV0lXQRUCIQCoWi89eoD6LF5iXH99sf1AVV/QGmeF
2or2bJSn5Rsm4QB2ABmYEHEJ8NZSLjCA0p4/ZLuDbijM+Q9Sju7fzko/FrTKAAAB
j9pvd6YAAAQDAEcwRQIgOuhdEPYni3NcUw2a9xnOWZR1uXR1Y/pc7W0pJ8FEJpYC
IQC3ovGCDvBRt2o9Mbtjzst00dKoUAOqO5IAcYv9GGDAujANBgkqhkiG9w0BAQsF
AAOCAQEACyi/bQL506VH+dKUt4Irk9oBomhG8S10CrJOq76Ure0T+4SsThQeeL2h
xGTfHBu2A/FhQ6tXxeMSycBwBPJFnN3sNadZ59U1Lwlaf7uD/R0MeCl48Y6omGTb
rBV1lF2XpCquYRmdy6psTap58ePydwRHlvkZZka2CXxqK3DxlY691kf+KUI1rxKf
cNcNU+z6b4HgSIKu3vWbqXQUCbtPzhJL7eoHhR9msIYDjcPi3itj6fF3Qos9LQ9V
/C67Avzn0WMkWPHJv5e6PP5II8CjawuKE0G5deDBw9SE4cIqa71S15DyGGBtTALG
dcky7GP4sHNpEjTX8GrngNRAn8r2Sg==
-----END CERTIFICATE-----
subject=CN = kheafield.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2907 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5D954D7A1FE64DD5C9059F37A8E148A532ECD8AEEDC9763C9BC3480BE94B242F
    Session-ID-ctx:
    Resumption PSK: 02ABECD2D7F672FB489883AAA1183F17DBAADC0B228F773E501FB4F9C122B68F278D0C8DC5223FF61F78395001AEA160
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 2b 08 f2 a0 48 34 fb 9a-44 f8 11 18 08 ba f6 55   +...H4..D......U
    0010 - 13 b6 d4 dc 24 6b f5 91-0e 73 ad d7 38 2c b8 16   ....$k...s..8,..

    Start Time: 1720278411
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 042F0A3D32A569239785A242FC2394161892E730E2754F4A9F6B094F5E959869
    Session-ID-ctx:
    Resumption PSK: C1D6B48635D7CF905BED22F7E0059E60560C7C10F5794AA851BEF35A7A1238CDB3F59632D1D086E4C2AA33FA6F3B3344
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 8c d7 c6 1f ee a3 96 2f-a3 15 ed fa 53 e1 3b e0   ......./....S.;.
    0010 - 4d 0e 4f 5e 0c a6 4d b8-6b 3b 77 f3 e7 c2 36 87   M.O^..M.k;w...6.

    Start Time: 1720278412
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

My guess was that WSL tried to open the host with IPv6. Since WSL do not support IPv6. But domain has IPv4 and IPv6 address. I did a tcpdump for "translateLocally -d de-en-base" and host translatelocally.com but no packets are captured.

If i can test anything else plz let me know. Thanks for the support!

[XapaJIaMnu]

I am really not sure what's happening here and I don't have wsl machine to test. Could you try building from source on wsl?

Also does native Windows work any better?

[bobdschingis]

Sorry for the late response. Had not much time since my last post.

Also does native Windows work any better?

Yes, works great. Thanks for it 👍

I am really not sure what's happening here and I don't have wsl machine to test. Could you try building from source on wsl?

I will try and report. :-)