LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

[jiahut]

when upgrade macOs to macOs High Sierra 10.13.2
git clone like git clone github.com/xxx.git failed
It print LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

openssl version

LibreSSL 2.2.7

curl https://github.com -v

Rebuilt URL to: https://github.com/
*   Trying 192.30.255.112...
* TCP_NODELAY set
* Connected to github.com (192.30.255.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

[kinichiro]

Can you try to connect with openssl(1) command, and provide messages ?

openssl s_client -connect github.com:443 -msg

In my Fedora23 with LibreSSL 2.2.7, it succeeded like this.

...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 29A07BC07B34FB1D78022F118B6617139637D5023D51DBFB2B8B88F5648D0197
    Session-ID-ctx:
    Master-Key: 293F2AF8346DB066F2A24A96C6087B2375C338A38FD219809B50F91BC9F8423936FDC4EAEFAAE10A07053F1A8B7BAEC4
    Start Time: 1513771535
    Timeout   : 300 (sec)
Verify return code: 0 (ok)

[jiahut]

@kinichiro

type the command line as your suggestion ，it prints：

CONNECTED(00000006)
>>> TLS 1.2 Handshake [length 0139], ClientHello
....
<<< TLS 1.2 Handshake [length 0059], ServerHello
....
<<< TLS 1.2 Handshake [length 0c44], Certificate
....
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
....
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
....
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
....
>>> TLS 1.2 ChangeCipherSpec [length 0001]
    01
>>> TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c 8c 78 7c 8e aa 5d 60 58 61 fe 1d 46
<<< TLS 1.2 ChangeCipherSpec [length 0001]
    01
<<< TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c c1 91 61 89 c1 29 93 81 78 b2 85 3a
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3637 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F7C850814ABA66391BC1DB49B6600AD614A16D14FAB254327FE85CD79983FDB4
    Session-ID-ctx: 
    Master-Key: 94BFADFBCC264BE799D20A99340A75333B13001C9B97935A904083FD5A244A8B881256125898CA214F6392F9F302B4CB
    Start Time: 1513834752
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
<<< TLS 1.2 Alert [length 0002], warning close_notify
    01 00
closed
>>> TLS 1.2 Alert [length 0002], warning close_notify
    01 00

[kinichiro]

You could successfully connect with openssl(1) s_client since it showed Verify return code: 0 (ok) .
But your curl command failed while SSL/TLS handshake phase soon after sending "Client hello".
Are your openssl command and curl command linked to the same LibreSSL 2.2.7 library ?

[chengtengfei]

I met the same issue, need help!!!

[akeschmidi]

Same here 😩

[kinichiro]

We would like to more information to investigate this issue. - Can you connect other host via SSL with curl ? - Or you can't connect any host via SSL with curl ? - Are there any hosts you can connect ?

[benoittgt]

I'm having the same issue with rust install.

Current installation options:

   default host triple: x86_64-apple-darwin
     default toolchain: stable
  modify PATH variable: yes

1) Proceed with installation (default)
2) Customize installation
3) Cancel installation
1

info: syncing channel updates for 'stable-x86_64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '/Users/bti/.rustup/tmp/p6goif8zcrom0hl5_file'
info: caused by: error during download
info: caused by: [35] SSL connect error (LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to static.rust-lang.org:443 )

Curl version

curl --version
curl 7.57.0 (x86_64-apple-darwin17.2.0) libcurl/7.57.0 SecureTransport zlib/1.2.11

Osx 10.13.2

[benoittgt]

I update with brew, libressl, openssl and curl and reboot my machine. It's now working.

[4a6f656c]

@jiahut 2.2.7 is pretty old (May 3, 2016) - I'd strongly recommend upgrading to a current version and testing again.

@benoittgt Did that result in a newer version of libressl?

[jiahut]

@4a6f656c the macOs10.13.3 system with LibreSSL2.2.7 as default

[benoittgt]

@4a6f656c I don't have anymore the error

[busterb]

That's probably more of an Apple question, since whether macOS ships with a 1.5 year old version is a little out of our hands

I'd also presume that Apple has local modifications and would largely be responsible for supporting the version that ships with the OS. I'm going to close this because we don't have much we can do on this end as upstream.

[ghost]

I know this issue is closed, but just in case anyone happens upon it.

I can confirm this is still broken in macOS 10.13.3 with the following details from curl:
curl --version curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy
Workaround: install curl, libressl from brew and use the binary located at /usr/local/opt/curl/bin

[yujunz]

I got the same error even after upgrading curl, libressl and openssl. It turns out to be an issue of the corporate HTTP proxy issue.

Leave a note here in case somebody met the same problem.

[akeschmidi]

a note ;-)

[wizofe]

Thanks @benoittgt, your solution worked liked a charm. It seems I was missing libressl (ups!)

[Papamilo]

Hi guy got the same isue with Mac OS High Sierra 10.13.3 :
LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443 when I try to clone a github repo or any npm command
Even when I try install brew like so /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" I got this too curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to raw.githubusercontent.com:443
I also tried the alternative setup https://docs.brew.sh/Installation ...same..if anyone got an idea

[AsceticBoy]

@benoittgt What is you solution ? Can you tell me step-to-step, I have some question with install Rust

[electriquo]

i have installed libressl, openssl and curl using brew. regardless which curl i used, original curl and brewed curl, i get the SSL_ERROR_SYSCALL error

$ /usr/bin/curl --version
curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

$ /usr/bin/curl https://statics.teams.microsoft.com/production-osx/1.1.00.8752/Teams_osx.dmg > /tmp/test.file
curl: (56) LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

$ /usr/local/opt/curl/bin/curl --version
curl 7.59.0 (x86_64-apple-darwin17.5.0) libcurl/7.59.0 OpenSSL/1.0.2o zlib/1.2.11 libidn2/2.0.4 nghttp2/1.31.1
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy

$ /usr/local/opt/curl/bin/curl https://statics.teams.microsoft.com/production-osx/1.1.00.8752/Teams_osx.dmg > /tmp/test.file
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

i have no problem downloading the file using wget.
when i pass --no-alpn to curl it bypasses the issue.
does any one have a fix for it, while not passing --no-alpn to curl?

[bob-beck]

neither of those appear to be using anything close to a supported version of libressl. your second one appears to be using openssl.

…

On Fri, Apr 20, 2018 at 07:25 y0y0z ***@***.***> wrote: i have installed libressl, openssl and curl using brew. regardless which curl i used, original curl and brewed curl, i get the SSL_ERROR_SYSCALL error $ /usr/bin/curl --version curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy $ /usr/bin/curl https://statics.teams.microsoft.com/production-osx/1.1.00.8752/Teams_osx.dmg > /tmp/test.file curl: (56) LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54 $ /usr/local/opt/curl/bin/curl --version curl 7.59.0 (x86_64-apple-darwin17.5.0) libcurl/7.59.0 OpenSSL/1.0.2o zlib/1.2.11 libidn2/2.0.4 nghttp2/1.31.1 Release-Date: 2018-03-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy $ /usr/local/opt/curl/bin/curl https://statics.teams.microsoft.com/production-osx/1.1.00.8752/Teams_osx.dmg > /tmp/test.file curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54 does any one have a fix for it? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#369 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHv2dVqVCi3MWG3MpNSypTymbHMkiRXdks5tqeHGgaJpZM4RIJm-> .