Problems installing Homebrew on a new OS X installation (SSL error)

Question

Have a fresh OS X installation here (new VM), and when trying to install Homebrew I just get an SSL error.

fatal: unable to access 'https://github.com/Homebrew/homebrew/': Unknown SSL protocol error in connection to github.com:-9847
Failed during: git fetch origin master:refs/remotes/origin/master -n --depth=1

This is the command I'm using:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Checked around a little bit and tried adding --insecure (or -k) and removing the s from https, but it doesn't seem to help. With --insecure I just get that server aborted the SSL handshake.

Anybody have any idea what is wrong here? "xcode-select --install" has been run as well.

EDIT: Following the suggestion below I dumped the packaged with tcpdump to a pcap file and opened that with tshark. From that I'm getting:

1 0.000000 MY_IP_REMOVED -> 192.30.252.130 TCP 78 49451→443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=170479114 TSecr=0 SACK_PERM=1

2 0.128228 192.30.252.130 -> MY_IP_REMOVED TCP 78 443→49451 [SYN, ACK] Seq=0 Ack=1 Win=14240 Len=0 MSS=1436 SACK_PERM=1 TSval=2830778812 TSecr=170479114 WS=1024 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

3 0.128303 MY_IP_REMOVED -> 192.30.252.130 TCP 66 49451→443 [ACK] Seq=1 Ack=1 Win=132416 Len=0 TSval=170479237 TSecr=2830778812

4 0.150128 MY_IP_REMOVED -> 192.30.252.130 SSL 255 Client Hello

5 0.150913 192.30.252.130 -> MY_IP_REMOVED SSL 1158 Continuation Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
6 0.150916 192.30.252.130 -> 81.26.52.196 TCP 64 443→49451 [FIN, ACK] Seq=1101 Ack=190 Win=4237312 Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

7 0.150961 MY_IP_REMOVED -> 192.30.252.130 TCP 66 49451→443 [ACK] Seq=190 Ack=1101 Win=131328 Len=0 TSval=170479257 TSecr=2830778812

8 0.150990 MY_IP_REMOVED -> 192.30.252.130 TCP 66 49451→443 [ACK] Seq=190 Ack=1102 Win=131328 Len=0 TSval=170479257 TSecr=2830778812

9 0.151046 MY_IP_REMOVED -> 192.30.252.130 TCP 66 49451→443 [FIN, ACK] Seq=190 Ack=1102 Win=132416 Len=0 TSval=170479257 TSecr=2830778812

10 0.151156 192.30.252.130 -> MY_IP_REMOVED TCP 64 443→49451 [RST] Seq=1102 Win=4237312 Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

Answer 1

If you just want a workaround to get Homebrew installed, you could try downloading its install script using another tool. E.g. like this:

$ python -c "import urllib ; urllib.urlretrieve('https://raw.githubusercontent.com/Homebrew/install/master/install', 'install.rb')"
$ ruby install.rb

Answer 2

If this is a clean install of OS X I suspect the problem may be a rare issue (bug?) in SecureTransport that could be triggered by a proxy or firewall settings somewhere on your route to github.

Your libcurl is compiled against Security.framework. The error code -9847 means Record overflow:

A record overflow occurred.
Value
–9847
Description
A record overflow occurred.
Available in OS X v10.3 and later.

The error may be pinpointed to this line in tls1Callouts.c. It seems that the client receives a record with unexpected length.

It might be related to similar issue in gnutls:.

There are several issues with TLS connections and the F5 firewall, and that looks like the case. That firewall terminates a TLS session if the client hello is between 256 and 512 bytes. If that is the case you can verify using wireshark.

The solution we adopted in later versions of gnutls is to add padding: https://gitlab.com/gnutls/gnutls/commit/b6d29bb1737f96ac44a8ef9cc9fe7f9837e20465

You could try to investigate further with tcpdump/wireshark (replace en0 with your interface name):

$ sudo tcpdump -i en0 —n -s 0  -B 524288 -w test.pcap  port 443

View your pcap file in Wireshark (or capture directly in Wireshark) to get detailed info about each phase. There is a good explanation of SSL/TLS on www.sans.org. For comparison, my (successful) conversation goes like this:

$ tshark -r test.pcap
  1   0.000000   10.0.0.125 -> 192.30.252.129 TCP 78 51229→443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=235773429 TSecr=0 SACK_PERM=1
  2   0.133049 192.30.252.129 -> 10.0.0.125   TCP 74 443→51229 [SYN, ACK] Seq=0 Ack=1 Win=14240 Len=0 MSS=1460 SACK_PERM=1 TSval=1851779047 TSecr=235773429 WS=1024
  3   0.133148   10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=235773562 TSecr=1851779047
  4   0.138296   10.0.0.125 -> 192.30.252.129 SSL 255 Client Hello
  5   0.278168 192.30.252.129 -> 10.0.0.125   TLSv1.2 1490 Server Hello
  6   0.278567 192.30.252.129 -> 10.0.0.125   TLSv1.2 1490 Certificate
  7   0.278696   10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=190 Ack=2849 Win=129632 Len=0 TSval=235773707 TSecr=1851779083
  8   0.278910 192.30.252.129 -> 10.0.0.125   TLSv1.2 399 Server Key Exchange
  9   0.278991   10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=190 Ack=3182 Win=130720 Len=0 TSval=235773707 TSecr=1851779083
 10   0.339768   10.0.0.125 -> 192.30.252.129 TLSv1.2 141 Client Key Exchange
 11   0.551009 192.30.252.129 -> 10.0.0.125   TCP 66 443→51229 [ACK] Seq=3182 Ack=265 Win=15360 Len=0 TSval=1851779144 TSecr=235773767
 12   0.551185   10.0.0.125 -> 192.30.252.129 TLSv1.2 157 Change Cipher Spec, Encrypted Handshake Message
 13   0.688512 192.30.252.129 -> 10.0.0.125   TCP 66 443→51229 [ACK] Seq=3182 Ack=356 Win=15360 Len=0 TSval=1851779186 TSecr=235773977
 14   0.691643 192.30.252.129 -> 10.0.0.125   TLSv1.2 157 Change Cipher Spec, Encrypted Handshake Message
 15   0.691720   10.0.0.125 -> 192.30.252.129 TCP 66 51229→443 [ACK] Seq=356 Ack=3273 Win=130976 Len=0 TSval=235774117 TSecr=1851779186
 16   0.692351   10.0.0.125 -> 192.30.252.129 TLSv1.2 215 Application Data

---

If this is really the case a workaround for you might be to compile a custom libcurl with openssl support and make git use your new libcurl. Alternatively you could use ssh instead of https for connecting to github (if you have your public key registered at github).