Re: fetch timeout

[Mark Brethen]

It’s interesting that curl fails from my older MacBook Air, but passes on the 
M1 iMac, both with OS 11 installed. Even after a clean reinstall. I suspect 
it’s something about Apple’s openssl. Browsers don’t seem to mind the 
certificate.

As a work around, I’d like to add something like this:

set check.os.major 21
if {${check.os.major} > ${os.major}} {
    depends_fetch-append curl
    fetch {
        system "curl -L -o ${distpath}/${distfiles} ${master_sites}${distfiles}"
    }
}



Mark Brethen
mark.bret...@gmail.com



> On Jul 17, 2022, at 8:49 AM, Mark Brethen <mark.bret...@gmail.com> wrote:
> 
> I think I’m getting to the root of the problem. I tried to obtain the SSL 
> certificate from the host server using openssl.
> 
> Downloads $ echo | openssl s_client -servername wias-berlin.de 
> <http://wias-berlin.de/> -connect wias-berlin.de:443 
> <http://wias-berlin.de:443/> |\                                               
>                       
>   sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust 
> Center, CN = T-TeleSec GlobalRoot Class 2
> verify return:1
> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. 
> V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
> verify return:1
> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. 
> V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
> verify return:1
> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., 
> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = 
> RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
> verify return:1
> 4479426220:error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert 
> handshake 
> failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL
>  alert number 40
> 4479426220:error:140080E5:SSL routines:CONNECT_CR_KEY_EXCH:ssl handshake 
> failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:585:
> 
> 
> I don’t get this error on the iMac with the same OS, same openssl versions.
> 
> Mark
> 
> 
> 
>> On Jul 15, 2022, at 1:44 PM, Mark Brethen <mark.bret...@gmail.com 
>> <mailto:mark.bret...@gmail.com>> wrote:
>> 
>> Maybe it’s openssl in /opt/local/bin? On the MacBook Air:
>> 
>> ports $ which openssl
>> /opt/local/bin/openssl
>> ports $ openssl version
>> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
>> 
>> The iMac has /opt/local/bin/openssl 1.1.1
>> 
>> /usr/bin/openssl is libressl 2.8.3 for both.
>> 
>> 
>> Mark Brethen
>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>> 
>> 
>> 
>>> On Jul 15, 2022, at 1:32 PM, Mark Brethen <mark.bret...@gmail.com 
>>> <mailto:mark.bret...@gmail.com>> wrote:
>>> 
>>> Heck if I know what’s wrong. Everything being equal, curl on the iMac 
>>> works, but on the MacBook Air it does not. Both have the same OS, same curl 
>>> version at /usr/bin, same cert.pem.
>>> 
>>> 
>>> Mark Brethen
>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>>> 
>>> 
>>> 
>>>> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.bret...@gmail.com 
>>>> <mailto:mark.bret...@gmail.com>> wrote:
>>>> 
>>>> On the MacBook Air openssl is able to get the certificate
>>>> 
>>>> Downloads $ openssl s_client -connect wias-berlin.de:443 
>>>> <http://wias-berlin.de:443/>
>>>> CONNECTED(00000005)
>>>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems 
>>>> Trust Center, CN = T-TeleSec GlobalRoot Class 2
>>>> verify return:1
>>>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes 
>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>> verify return:1
>>>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes 
>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>> verify return:1
>>>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin 
>>>> e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik 
>>>> (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>> verify return:1
>>>> ---
>>>> Certificate chain
>>>>  0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., 
>>>> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU 
>>>> = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>    i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. 
>>>> V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
>>>>    v:NotBefore: Aug  4 13:43:33 2021 GMT; NotAfter: Sep  4 13:43:33 2022 
>>>> GMT
>>>>  1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. 
>>>> V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>    i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. 
>>>> V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>>>>    v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 
>>>> GMT
>>>>  2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. 
>>>> V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>    i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust 
>>>> Center, CN = T-TeleSec GlobalRoot Class 2
>>>>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>>>>    v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 
>>>> GMT
>>>> ---
>>>> Server certificate
>>>> -----BEGIN CERTIFICATE-----
>>>> <clip>
>>>> -----END CERTIFICATE-----
>>>> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin 
>>>> e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik 
>>>> (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>> issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes 
>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>> ---
>>>> No client certificate CA names sent
>>>> Peer signing digest: SHA256
>>>> Peer signature type: RSA-PSS
>>>> Server Temp Key: X25519, 253 bits
>>>> ---
>>>> SSL handshake has read 5958 bytes and written 400 bytes
>>>> Verification: OK
>>>> ---
>>>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>>>> Server public key is 4096 bit
>>>> Secure Renegotiation IS NOT supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> No ALPN negotiated
>>>> Early data was not sent
>>>> Verify return code: 0 (ok)
>>>> ---
>>>> ---
>>>> Post-Handshake New Session Ticket arrived:
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.3
>>>>     Cipher    : TLS_AES_256_GCM_SHA384
>>>>     Session-ID: 
>>>> 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A
>>>>     Session-ID-ctx: 
>>>>     Resumption PSK: 
>>>> A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C
>>>>     PSK identity: None
>>>>     PSK identity hint: None
>>>>     SRP username: None
>>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>>     TLS session ticket:
>>>>     0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07   
>>>> ..o.tMd.d3..L=W.
>>>>     0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9   
>>>> .U.)..|Xz..H.z..
>>>> 
>>>>     Start Time: 1657903105
>>>>     Timeout   : 7200 (sec)
>>>>     Verify return code: 0 (ok)
>>>>     Extended master secret: no
>>>>     Max Early Data: 0
>>>> ---
>>>> read R BLOCK
>>>> ---
>>>> Post-Handshake New Session Ticket arrived:
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.3
>>>>     Cipher    : TLS_AES_256_GCM_SHA384
>>>>     Session-ID: 
>>>> 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70
>>>>     Session-ID-ctx: 
>>>>     Resumption PSK: 
>>>> D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A
>>>>     PSK identity: None
>>>>     PSK identity hint: None
>>>>     SRP username: None
>>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>>     TLS session ticket:
>>>>     0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4   
>>>> ]..^z......f.RZ.
>>>>     0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9   
>>>> "..x...9..Lc..M.
>>>> 
>>>>     Start Time: 1657903105
>>>>     Timeout   : 7200 (sec)
>>>>     Verify return code: 0 (ok)
>>>>     Extended master secret: no
>>>>     Max Early Data: 0
>>>> ---
>>>> read R BLOCK
>>>> closed
>>>> 
>>>> Mark Brethen
>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>>>> 
>>>> 
>>>> 
>>>>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.bret...@gmail.com 
>>>>> <mailto:mark.bret...@gmail.com>> wrote:
>>>>> 
>>>>> On the Imac (OS 11.6.7):
>>>>> 
>>>>> -rw-r--r--   1 root  wheel  346545 Jan  1  2020 cert.pem
>>>>> 
>>>>> ~ $ /usr/bin/curl --version
>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) 
>>>>> LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>> Release-Date: 2019-03-27
>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps 
>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile 
>>>>> libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>> 
>>>>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz 
>>>>> https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz 
>>>>> <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz>
>>>>>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  
>>>>> Current
>>>>>                                 Dload  Upload   Total   Spent    Left  
>>>>> Speed
>>>>>  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   
>>>>>   0*   Trying 62.141.177.111...
>>>>> * TCP_NODELAY set
>>>>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) 
>>>>> port 443 (#0)
>>>>> * ALPN, offering h2
>>>>> * ALPN, offering http/1.1
>>>>> * successfully set certificate verify locations:
>>>>> *   CAfile: /etc/ssl/cert.pem
>>>>>  CApath: none
>>>>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>>>>> } [228 bytes data]
>>>>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>>>>> { [104 bytes data]
>>>>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>>>>> { [5152 bytes data]
>>>>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>>>>> { [556 bytes data]
>>>>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>>>>> { [4 bytes data]
>>>>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>>>>> } [37 bytes data]
>>>>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>>>>> } [1 bytes data]
>>>>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>>>>> } [16 bytes data]
>>>>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
>>>>> { [1 bytes data]
>>>>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>>>>> { [16 bytes data]
>>>>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
>>>>> * ALPN, server accepted to use http/1.1
>>>>> * Server certificate:
>>>>> *  subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; 
>>>>> OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); 
>>>>> OU=RT; CN=www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>> *  start date: Aug  4 13:43:33 2021 GMT
>>>>> *  expire date: Sep  4 13:43:33 2022 GMT
>>>>> *  subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" matched 
>>>>> cert's "wias-berlin.de <http://wias-berlin.de/>"
>>>>> *  issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes 
>>>>> e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA
>>>>> *  SSL certificate verify ok.
>>>>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1
>>>>>> Host: wias-berlin.de <http://wias-berlin.de/>
>>>>>> User-Agent: curl/7.64.1
>>>>>> Accept: */*
>>>>>> 
>>>>>  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--   
>>>>>   0< HTTP/1.1 200 OK
>>>>> < Date: Fri, 15 Jul 2022 15:43:03 GMT
>>>>> < Server: Apache-Coyote/1.1
>>>>> < Strict-Transport-Security: max-age=63072000
>>>>> < Accept-Ranges: bytes
>>>>> < ETag: W/"282433-1534863100000"
>>>>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT
>>>>> < Content-Type: application/x-gzip
>>>>> < Content-Length: 282433
>>>>> < 
>>>>> { [7906 bytes data]
>>>>> 100  275k  100  275k    0     0   156k      0  0:00:01  0:00:01 --:--:--  
>>>>> 156k
>>>>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left 
>>>>> intact
>>>>> * Closing connection 0
>>>>> 
>>>>> Mark Brethen
>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jon...@hep.phy.cam.ac.uk 
>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 15/07/2022 4:16 pm, Mark Brethen wrote:
>>>>>>> cert.perm has the same date
>>>>>> 
>>>>>> very surprised ...
>>>>>> 
>>>>>> and..... does the curl fetch also fail ?
>>>>>> 
>>>>>>> Mark Brethen
>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>>>>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jon...@hep.phy.cam.ac.uk 
>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote:
>>>>>>>>> I checked big sur on my iMac, which came installed with big sur. It 
>>>>>>>>> also has version 7.64.1.
>>>>>>>> 
>>>>>>>> how old is the cert.pem file though ?
>>>>>>>> 
>>>>>>>> Does the fetch using /usr/bin/curl work there or not ?
>>>>>>>> 
>>>>>>>> I’m surprised macports is using the native curl. Apple is notorious 
>>>>>>>> for not updating to the latest versions of software with each new OS.
>>>>>>>>> Mark Brethen
>>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>>>>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jon...@hep.phy.cam.ac.uk 
>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote:
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote:
>>>>>>>>>>> -rw-r--r--    1 root  wheel  346545 Jan  1  2020 cert.pem
>>>>>>>>>> 
>>>>>>>>>> The above could be your problem, as that is very old, 2.5 years or 
>>>>>>>>>> so now. It actually pre-dates the public release of macOS 11, which 
>>>>>>>>>> wasn't until November that year, which makes it quite suspicious...
>>>>>>>>>> 
>>>>>>>>>> In comparison mine is from May this year, on macOS12. I would 
>>>>>>>>>> imagine the same on macOS 11 to be much more up to date than the 
>>>>>>>>>> above.
>>>>>>>>>> 
>>>>>>>>>> This could be some relic of your big update from OSX10.13 to 
>>>>>>>>>> macOS11...
>>>>>>>>>> 
>>>>>>>>>> So, I am not sure how, but you need the above to be updated I 
>>>>>>>>>> believe...
>>>>>>>>>> 
>>>>>>>>>> Have you checked system update to make sure you are fully up to date 
>>>>>>>>>> ?
>>>>>>>>>> 
>>>>>>>>>> Chris
>>>>>>>>>> 
>>>>>>>>>>> ~ $ /usr/bin/curl --version
>>>>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 
>>>>>>>>>>> (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>>>>>>> Release-Date: 2019-03-27
>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap 
>>>>>>>>>>> ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos 
>>>>>>>>>>> Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>>>>>> Mark Brethen
>>>>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> 
>>>>>>>>>>> <mailto:mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>>
>>>>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones <jon...@hep.phy.cam.ac.uk 
>>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk> <mailto:jon...@hep.phy.cam.ac.uk 
>>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> /etc/ssl/cert.pem
>>>>> 
>>>> 
>>> 
>> 
>