[opam-devel] distfiles for ocaml.janestreet.com need an SSL upgrade

Dominick LoBraico d at lobraico.com
Sun Oct 4 15:41:29 BST 2015

Hmm, I can reproduce the error your seeing on 10.10.4 as well but it's
not clear to me that this is an SSLv3 issue.

$ openssl s_client -connect ocaml.janestreet.com:443 -ssl3
51476:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:1145:SSL
alert number 40
51476:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake

I'm investigating.

On Sun, Oct 4, 2015 at 5:26 AM, Anil Madhavapeddy <anil at recoil.org> wrote:
> (x-posting to opam-devel as an fyi in case anyone else runs into this)
> Using OSX 10.11 results in an SSLv3 error from the upstream distfile server
> on ocaml.janestreet.com.  Could it please be reconfigured to use TLS 1.0 or
> higher?  Workaround is to "brew install wget", which is less secure out of the box.
>   $ curl --write-out %{http_code}\n --insecure --retry 3 --retry-delay 2 -OL
>     https://ocaml.janestreet.com/ocaml-core/113.00/files/sexplib-113.00.00.tar.gz
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   curl: (56) SSLRead() return error -9841
> Louis, this manifests as a hard-to-debug error, since the curl command line
> doesn't seem to get output anywhere (even when using OPAMDEBUG=1).  Is there
> some other way than modifying the OPAM source code to see all the commands
> that are being shelled out?
> -anil
> --
> You received this message because you are subscribed to the Google Groups "ocaml-core" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ocaml-core+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

More information about the opam-devel mailing list