Gem busted on MacOS builds because of TLSv1 issue


#1

This morning we started seeing gem fail to build with this error:

Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert protocol version

I confirmed it was an openSSL version issue:

bash-3.2$ openssl s_client -connect rubygems.org:443
CONNECTED(00000003)
608:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:593:

In lieu of a system upgrade, we ended up using DYLD flags to point ruby at the homebrew-installed openssl version (which fixes it), but this is definitely a hack.

export HOMEBREW_OPENSSL_LIB=/usr/local/opt/openssl/lib
# Use the homebrew openssl 1.0
cp $HOMEBREW_OPENSSL_LIB/libcrypto.1.0.0.dylib $HOMEBREW_OPENSSL_LIB/libcrypto.0.9.8.dylib
cp $HOMEBREW_OPENSSL_LIB/libssl.1.0.0.dylib $HOMEBREW_OPENSSL_LIB/libssl.0.9.8.dylib
# Copy ruby to /tmp/ because we can't change DYLD flags on restricted bins
cp `which ruby` /tmp/ruby
# Run gem w/the homebrew lib
sudo DYLD_LIBRARY_PATH=/usr/local/opt/openssl/lib /tmp/ruby `which gem` install [...]

#2

Thanks for posting.

What version of xcode are you using? And was this an issue on CircleCI 1 or 2?

Thanks,

Marc


#3

Seeing this too with a CI2.0 system. Not a single build works now.

Our CI gurus are away at present so really need step-by-step instructions on how to fix this


#4

This is CircleCI 2 on Xcode 9.0


#5

Hello,

This is a known issue that will happen occasionally with rubygems.org. You can find more information and a solution here on their website:

https://guides.rubygems.org/ssl-certificate-update/#installing-using-update-packages


#6

Your bus number is presently zero, which is probably a business risk that needs addressing! :scream:


#7

I don’t think this is the same issue as you noted here. The error in my case is tlsv1 alert protocol version.


#8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.