I think this should be resolved (there were a couple of deprecated cipher suites still enabled for this subdomain). My best guess is that Apple has (reasonably) become more strict in which cipher suites it will use in its "Common Crypto" OpenSSL replacement. Can you verify on 10.11?
Thanks for the report! On Sun, Oct 4, 2015 at 10:41 AM, Dominick LoBraico <[email protected]> wrote: > Hmm, I can reproduce the error your seeing on 10.10.4 as well but it's > not clear to me that this is an SSLv3 issue. > > $ openssl s_client -connect ocaml.janestreet.com:443 -ssl3 > CONNECTED(00000003) > 51476:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert > handshake > failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:1145:SSL > alert number 40 > 51476:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:566: > > I'm investigating. > > On Sun, Oct 4, 2015 at 5:26 AM, Anil Madhavapeddy <[email protected]> wrote: >> (x-posting to opam-devel as an fyi in case anyone else runs into this) >> >> Using OSX 10.11 results in an SSLv3 error from the upstream distfile server >> on ocaml.janestreet.com. Could it please be reconfigured to use TLS 1.0 or >> higher? Workaround is to "brew install wget", which is less secure out of >> the box. >> >> $ curl --write-out %{http_code}\n --insecure --retry 3 --retry-delay 2 -OL >> >> https://ocaml.janestreet.com/ocaml-core/113.00/files/sexplib-113.00.00.tar.gz >> % Total % Received % Xferd Average Speed Time Time Time >> Current >> Dload Upload Total Spent Left Speed >> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- >> 0 >> curl: (56) SSLRead() return error -9841 >> >> Louis, this manifests as a hard-to-debug error, since the curl command line >> doesn't seem to get output anywhere (even when using OPAMDEBUG=1). Is there >> some other way than modifying the OPAM source code to see all the commands >> that are being shelled out? >> >> -anil >> >> -- >> You received this message because you are subscribed to the Google Groups >> "ocaml-core" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. _______________________________________________ opam-devel mailing list [email protected] http://lists.ocaml.org/listinfo/opam-devel
