Problems installing Homebrew on fresh OS X installation (SSL error)
You have a fresh install of OS X (new virtual machine) and when trying to install Homebrew I just get an SSL error.
fatal: unable to access 'https://github.com/Homebrew/homebrew/': Unknown SSL protocol error in connection to github.com:-9847
Failed during: git fetch origin master:refs/remotes/origin/master -n --depth=1
This is the command I'm using:
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Checked a bit and tried adding --insecure (or -k) and removing s from https, but it doesn't seem to help. With - insecure, I just get that the server has canceled the SSL handshake.
Does anyone know what is wrong here? "xcode-select -install" is also running.
EDIT: Following the suggestion below, I dumped the package with tcpdump into a pcap file and opened it with tshark. From this I get:
1 0.000000 MY_IP_REMOVED → 192.30.252.130 TCP 78 49451 → 443 [SYN] Seq = 0 Win = 65535 Len = 0 MSS = 1460 WS = 32 TSval = 170479114 TSecr = 0 SACK_PERM = 1
2 0.128228 192.30.252.130 → MY_IP_REMOVED TCP 78 443 → 49451 [SYN, ACK] Seq = 0 Ack = 1 Win = 14240 Len = 0 MSS = 1436 SACK_PERM = 1 TSval = 2830778812 TSecr = 170479114 WS = 1024 [ETHERNET FRAME CHORK SEQUENCE ]
3 0.128303 MY_IP_REMOVED → 192.30.252.130 TCP 66 49451 → 443 [ACK] Seq = 1 Ack = 1 Win = 132416 Len = 0 TSval = 170479237 TSecr = 2830778812
4 0.150128 MY_IP_REMOVED → 192.30.252.130 SSL 255 Client Hello
5 0.150913 192.30.252.130 → MY_IP_REMOVED SSL 1158 Data continuation [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
6 0.150916 192.30.252.130 → 81.26.52.196 TCP 64 443 → 49451 [FIN, ACK] Seq = 1101 Ack = 190 Win = 4237312 = 0 [ EQUET FRAME CHECK SEQUENCE INCORRECT]7 0.150961 MY_IP_REMOVED → 192.30.252.130 TCP 66 49451 → 443 [ACK] Seq = 190 Ack = 1101 Win = 131328 Len = 0 TSval = 170479257 TSecr = 2830778812
8 0.150990 MY_IP_REMOVED → 192.30.252.130 TCP 66 49451 → 443 [ACK] Seq = 190 Ack = 1102 Win = 131328 Len = 0 TSval = 170479257 TSecr = 2830778812
9 0.151046 MY_IP_REMOVED → 192.30.252.130 TCP 66 49451 → 443 [FIN, ACK] Seq = 190 Ack = 1102 Win = 132416 Len = 0 TSval = 170479257 TSecr = 2830778812
10 0.151156 192.30.252.130 → MY_IP_REMOVED TCP 64 443 → 49451 [RST] Seq = 1102 Win = 4237312 Len = 0 [FRAME CHECK ETHERNET SEQUENCE INCORRECT]
source to share
If this is a clean install of OS X, I suspect the problem might be a rare issue (bug?) In SecureTransport
that could be caused by proxy or firewall settings somewhere along your github path.
Yours is libcurl
compiled against Security.framework
. The error code -9847
means Record Overflow :
A record overflow occurred.
Value
–9847
Description
A record overflow occurred.
Available in OS X v10.3 and later.
The error can be listed on this line in tls1Callouts.c . The client seems to be receiving a record with an unexpected length.
This could be related to a similar issue in gnutls :.
There are several problems with TLS connection and F5 firewall and it looks like this. This firewall ends the TLS session if the client greets 256 to 512 bytes. If so can check using wireshark.
The solution we made in later versions of gnutls is to add additions: https://gitlab.com/gnutls/gnutls/commit/b6d29bb1737f96ac44a8ef9cc9fe7f9837e20465
You can try to investigate further with tcpdump / wireshark (replace en0 with your interface name):
$ sudo tcpdump -i en0 —n -s 0 -B 524288 -w test.pcap port 443
View your file pcap
in Wireshark (or write directly to Wireshark) for details on each phase. There is a good explanation SSL/TLS
at www.sans.org . For comparison, my (successful) conversation looks like this:
$ tshark -r test.pcap
1 0.000000 10.0.0.125 -> 192.30.252.129 TCP 78 51229→443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=235773429 TSecr=0 SACK_PERM=1
2 0.133049 192.30.252.129 -> 10.0.0.125 TCP 74 443→51229 [SYN, ACK] Seq=0 Ack=1 Win=14240 Len=0 MSS=1460 SACK_PERM=1 TSval=1851779047 TSecr=235773429 WS=1024
3 0.133148 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=235773562 TSecr=1851779047
4 0.138296 10.0.0.125 -> 192.30.252.129 SSL 255 Client Hello
5 0.278168 192.30.252.129 -> 10.0.0.125 TLSv1.2 1490 Server Hello
6 0.278567 192.30.252.129 -> 10.0.0.125 TLSv1.2 1490 Certificate
7 0.278696 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=190 Ack=2849 Win=129632 Len=0 TSval=235773707 TSecr=1851779083
8 0.278910 192.30.252.129 -> 10.0.0.125 TLSv1.2 399 Server Key Exchange
9 0.278991 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=190 Ack=3182 Win=130720 Len=0 TSval=235773707 TSecr=1851779083
10 0.339768 10.0.0.125 -> 192.30.252.129 TLSv1.2 141 Client Key Exchange
11 0.551009 192.30.252.129 -> 10.0.0.125 TCP 66 443→51229 [ACK] Seq=3182 Ack=265 Win=15360 Len=0 TSval=1851779144 TSecr=235773767
12 0.551185 10.0.0.125 -> 192.30.252.129 TLSv1.2 157 Change Cipher Spec, Encrypted Handshake Message
13 0.688512 192.30.252.129 -> 10.0.0.125 TCP 66 443→51229 [ACK] Seq=3182 Ack=356 Win=15360 Len=0 TSval=1851779186 TSecr=235773977
14 0.691643 192.30.252.129 -> 10.0.0.125 TLSv1.2 157 Change Cipher Spec, Encrypted Handshake Message
15 0.691720 10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=356 Ack=3273 Win=130976 Len=0 TSval=235774117 TSecr=1851779186
16 0.692351 10.0.0.125 -> 192.30.252.129 TLSv1.2 215 Application Data
If this is indeed the case, a workaround might be to compile a custom one libcurl
with support openssl
and make git use your new one libcurl
. Alternatively you can use ssh
instead https
to connect to github (if you have the public key on github).
source to share
If you want the workaround to be installed on Homebrew, you can try downloading its install script using another tool. For example. eg:
$ python -c "import urllib ; urllib.urlretrieve('https://raw.githubusercontent.com/Homebrew/install/master/install', 'install.rb')"
$ ruby install.rb
source to share