Hello! I ran into a weird issue with version checker today where all the Bitbucket-hosted mods fail the check, but a few that are hosted on GitHub don't have any issues. In addition, the Starsector version check fails with an SSLHandshakeException. Any idea where to even start with troubleshooting this?
Sadly this isn't something I can easily fix. It's not a Version Checker bug, it's due to the version of Java Starsector ships with lacking newer cryptographic ciphers. The GCM ciphers that Bitbucket now requires were only added in Java 8 and backported in 1.7.0_131 (which isn't publicly available), whereas Starsector ships with Java 1.7.0_79. I've looked into adding support for these ciphers manually, but a) that's absolute overkill for a tiny project like this, and b) it won't work due to mod classloader restrictions (short of asking users to modify files in their game install like in the old pre-1.6 days, which I really don't want to resort to again).
Considering
this is the fourth time Bitbucket has made a change that breaks this mod in the last three years, plus the site's semi-frequent downtimes, I'd say
the best solution would be for modders using Bitbucket for version file hosting to move to a different and more reliable service (such as
GitHub, which hasn't caused a single issue in the six years this mod has been around), and for me to apologize for suggesting Bitbucket in the first place. 2014 was a different time, and GitHub's free version has long since become superior to Bitbucket's offering.
I'll finish moving my own mods' version files to GitHub tonight if I can. Any other mods with broken checks will require an update from their authors. I apologize for the inconvenience.
Well, it's at least nice to know it's not some obscure networking issue on my end. Seeing as this error must have been popping up for people since earlier this month, has mod development mostly moved off these forums or what?
The cipher change actually only happened on the 24th, and possibly later than that (they're terrible about announcing dates then missing them). As for reports, for the last several months I've only been watching replies on my mod threads or on
my GitHub. Yours is the first and only bug report that I've seen about this.
As we are not sending any sensitive data over, nor receiving any sensitive data (no authentication, no privacy related data) so there's no reason for encryption.
The HTTPS requirement is on Bitbucket's side. If you were to host a version file over a plain HTTP connection the mod would work just fine. Sites like Bitbucket and GitHub were chosen for most mod's hosting because this mod requires a site that allows you to link to the raw .version file (no ads, no redirects, no captchas after X number of requests), and allows you to edit said file without changing the URL. Source code hosting sites were among the few free options that met those requirements when this mod was released. I haven't looked into things since. If there's another site that meets said requirements, I'd love to hear about it.
Spoiler
Bump.
"Simple" solution would be to have a server acting as proxy for bitbucket urls :
>Set up a Free tier amazon server with a very simple node/whatever middleware
>Change the mod code to detect that if the url to check is bitbucket, instead query the free tier amazon server with the bitbucket url (and other relevant payloads)
>The amazon server middleware then query bitbucket over https, and then pass trough the answer back to the mod
>Only open to a weird port to prevent some abuse
Users would only have to install a new version of Version Checker. Additionally, querying this 'proxy' server should only happen if the main call fails.
Unfortunately that goes against one of the main goals of this mod, which is to have it not be reliant on a central maintainer. Ideally Version Checker should continue to work in perpetuity with or without my presence. The only active maintenance required is keeping
a single file up to date to track Starsector updates.
Of course, things haven't worked out quite how I'd hoped. As I said already, Bitbucket's broken things on their end four times now, not to mention Dropbox removing public links and breaking support for tons of mods in this project's infancy.
Oh well. C'est la vie.