[opam-devel] distfiles for ocaml.janestreet.com need an SSL upgrade

Dominick LoBraico dlobraico at janestreet.com
Sun Oct 4 15:52:26 BST 2015 

I think this should be resolved (there were a couple of deprecated
cipher suites still enabled for this subdomain). My best guess is that
Apple has (reasonably) become more strict in which cipher suites it
will use in its "Common Crypto" OpenSSL replacement. Can you verify on
10.11?

Thanks for the report!

On Sun, Oct 4, 2015 at 10:41 AM, Dominick LoBraico <d at lobraico.com> wrote:
> Hmm, I can reproduce the error your seeing on 10.10.4 as well but it's
> not clear to me that this is an SSLv3 issue.
>
> $ openssl s_client -connect ocaml.janestreet.com:443 -ssl3
> CONNECTED(00000003)
> 51476:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:1145:SSL
> alert number 40
> 51476:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:566:
>
> I'm investigating.
>
> On Sun, Oct 4, 2015 at 5:26 AM, Anil Madhavapeddy <anil at recoil.org> wrote:
>> (x-posting to opam-devel as an fyi in case anyone else runs into this)
>>
>> Using OSX 10.11 results in an SSLv3 error from the upstream distfile server
>> on ocaml.janestreet.com.  Could it please be reconfigured to use TLS 1.0 or
>> higher?  Workaround is to "brew install wget", which is less secure out of the box.
>>
>>   $ curl --write-out %{http_code}\n --insecure --retry 3 --retry-delay 2 -OL
>>     https://ocaml.janestreet.com/ocaml-core/113.00/files/sexplib-113.00.00.tar.gz
>>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>>                                  Dload  Upload   Total   Spent    Left  Speed
>>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>>   curl: (56) SSLRead() return error -9841
>>
>> Louis, this manifests as a hard-to-debug error, since the curl command line
>> doesn't seem to get output anywhere (even when using OPAMDEBUG=1).  Is there
>> some other way than modifying the OPAM source code to see all the commands
>> that are being shelled out?
>>
>> -anil
>>
>> --
>> You received this message because you are subscribed to the Google Groups "ocaml-core" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to ocaml-core+unsubscribe at googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

More information about the opam-devel mailing list