Gem busted on MacOS builds because of TLSv1 issue

This morning we started seeing gem fail to build with this error:

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert protocol version

I confirmed it was an openSSL version issue:

bash-3.2$ openssl s_client -connect rubygems.org:443
CONNECTED(00000003)
608:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:593:

In lieu of a system upgrade, we ended up using DYLD flags to point ruby at the homebrew-installed openssl version (which fixes it), but this is definitely a hack.

export HOMEBREW_OPENSSL_LIB=/usr/local/opt/openssl/lib
# Use the homebrew openssl 1.0
cp $HOMEBREW_OPENSSL_LIB/libcrypto.1.0.0.dylib $HOMEBREW_OPENSSL_LIB/libcrypto.0.9.8.dylib
cp $HOMEBREW_OPENSSL_LIB/libssl.1.0.0.dylib $HOMEBREW_OPENSSL_LIB/libssl.0.9.8.dylib
# Copy ruby to /tmp/ because we can't change DYLD flags on restricted bins
cp `which ruby` /tmp/ruby
# Run gem w/the homebrew lib
sudo DYLD_LIBRARY_PATH=/usr/local/opt/openssl/lib /tmp/ruby `which gem` install [...]

Thanks for posting.

What version of xcode are you using? And was this an issue on CircleCI 1 or 2?

Thanks,

Marc

1 Like

Seeing this too with a CI2.0 system. Not a single build works now.

Our CI gurus are away at present so really need step-by-step instructions on how to fix this

This is CircleCI 2 on Xcode 9.0

Hello,

This is a known issue that will happen occasionally with rubygems.org. You can find more information and a solution here on their website:

https://guides.rubygems.org/ssl-certificate-update/#installing-using-update-packages

Your bus number is presently zero, which is probably a business risk that needs addressing! :scream:

I don’t think this is the same issue as you noted here. The error in my case is tlsv1 alert protocol version.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.