> On 17 Jul 2022, at 7:12 pm, Mark Brethen <mark.bret...@gmail.com> wrote: > > It’s interesting that curl fails from my older MacBook Air, but passes on the > M1 iMac, both with OS 11 installed. Even after a clean reinstall. I suspect > it’s something about Apple’s openssl. Browsers don’t seem to mind the > certificate.
No, I very much doubt that is the case. If it where the case if would fail for you on both machines. > > As a work around, I’d like to add something like this: > > set check.os.major 21 > if {${check.os.major} > ${os.major}} { > depends_fetch-append curl > fetch { > system "curl -L -o ${distpath}/${distfiles} > ${master_sites}${distfiles}" > } > } It is not appropriate to add that to a port file when the origin of the issue is still not understood, and quite likely something specific to your setup. Chris > > > > Mark Brethen > mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> > > > >> On Jul 17, 2022, at 8:49 AM, Mark Brethen <mark.bret...@gmail.com >> <mailto:mark.bret...@gmail.com>> wrote: >> >> I think I’m getting to the root of the problem. I tried to obtain the SSL >> certificate from the host server using openssl. >> >> Downloads $ echo | openssl s_client -servername wias-berlin.de >> <http://wias-berlin.de/> -connect wias-berlin.de:443 >> <http://wias-berlin.de:443/> |\ >> >> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt >> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust >> Center, CN = T-TeleSec GlobalRoot Class 2 >> verify return:1 >> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >> verify return:1 >> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >> verify return:1 >> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., >> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = >> RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >> verify return:1 >> 4479426220:error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert >> handshake >> failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL >> alert number 40 >> 4479426220:error:140080E5:SSL routines:CONNECT_CR_KEY_EXCH:ssl handshake >> failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:585: >> >> >> I don’t get this error on the iMac with the same OS, same openssl versions. >> >> Mark >> >> >> >>> On Jul 15, 2022, at 1:44 PM, Mark Brethen <mark.bret...@gmail.com >>> <mailto:mark.bret...@gmail.com>> wrote: >>> >>> Maybe it’s openssl in /opt/local/bin? On the MacBook Air: >>> >>> ports $ which openssl >>> /opt/local/bin/openssl >>> ports $ openssl version >>> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022) >>> >>> The iMac has /opt/local/bin/openssl 1.1.1 >>> >>> /usr/bin/openssl is libressl 2.8.3 for both. >>> >>> >>> Mark Brethen >>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>> >>> >>> >>>> On Jul 15, 2022, at 1:32 PM, Mark Brethen <mark.bret...@gmail.com >>>> <mailto:mark.bret...@gmail.com>> wrote: >>>> >>>> Heck if I know what’s wrong. Everything being equal, curl on the iMac >>>> works, but on the MacBook Air it does not. Both have the same OS, same >>>> curl version at /usr/bin, same cert.pem. >>>> >>>> >>>> Mark Brethen >>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>> >>>> >>>> >>>>> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.bret...@gmail.com >>>>> <mailto:mark.bret...@gmail.com>> wrote: >>>>> >>>>> On the MacBook Air openssl is able to get the certificate >>>>> >>>>> Downloads $ openssl s_client -connect wias-berlin.de:443 >>>>> <http://wias-berlin.de:443/> >>>>> CONNECTED(00000005) >>>>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems >>>>> Trust Center, CN = T-TeleSec GlobalRoot Class 2 >>>>> verify return:1 >>>>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen >>>>> Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification >>>>> Authority 2 >>>>> verify return:1 >>>>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen >>>>> Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>> verify return:1 >>>>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin >>>>> e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik >>>>> (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>>>> verify return:1 >>>>> --- >>>>> Certificate chain >>>>> 0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., >>>>> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU >>>>> = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>>>> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>> a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 >>>>> v:NotBefore: Aug 4 13:43:33 2021 GMT; NotAfter: Sep 4 13:43:33 2022 >>>>> GMT >>>>> 1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >>>>> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >>>>> v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 >>>>> GMT >>>>> 2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >>>>> i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust >>>>> Center, CN = T-TeleSec GlobalRoot Class 2 >>>>> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >>>>> v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 >>>>> GMT >>>>> --- >>>>> Server certificate >>>>> -----BEGIN CERTIFICATE----- >>>>> <clip> >>>>> -----END CERTIFICATE----- >>>>> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin >>>>> e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik >>>>> (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>>>> issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>> --- >>>>> No client certificate CA names sent >>>>> Peer signing digest: SHA256 >>>>> Peer signature type: RSA-PSS >>>>> Server Temp Key: X25519, 253 bits >>>>> --- >>>>> SSL handshake has read 5958 bytes and written 400 bytes >>>>> Verification: OK >>>>> --- >>>>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >>>>> Server public key is 4096 bit >>>>> Secure Renegotiation IS NOT supported >>>>> Compression: NONE >>>>> Expansion: NONE >>>>> No ALPN negotiated >>>>> Early data was not sent >>>>> Verify return code: 0 (ok) >>>>> --- >>>>> --- >>>>> Post-Handshake New Session Ticket arrived: >>>>> SSL-Session: >>>>> Protocol : TLSv1.3 >>>>> Cipher : TLS_AES_256_GCM_SHA384 >>>>> Session-ID: >>>>> 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A >>>>> Session-ID-ctx: >>>>> Resumption PSK: >>>>> A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C >>>>> PSK identity: None >>>>> PSK identity hint: None >>>>> SRP username: None >>>>> TLS session ticket lifetime hint: 300 (seconds) >>>>> TLS session ticket: >>>>> 0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07 >>>>> ..o.tMd.d3..L=W. >>>>> 0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9 >>>>> .U.)..|Xz..H.z.. >>>>> >>>>> Start Time: 1657903105 >>>>> Timeout : 7200 (sec) >>>>> Verify return code: 0 (ok) >>>>> Extended master secret: no >>>>> Max Early Data: 0 >>>>> --- >>>>> read R BLOCK >>>>> --- >>>>> Post-Handshake New Session Ticket arrived: >>>>> SSL-Session: >>>>> Protocol : TLSv1.3 >>>>> Cipher : TLS_AES_256_GCM_SHA384 >>>>> Session-ID: >>>>> 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70 >>>>> Session-ID-ctx: >>>>> Resumption PSK: >>>>> D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A >>>>> PSK identity: None >>>>> PSK identity hint: None >>>>> SRP username: None >>>>> TLS session ticket lifetime hint: 300 (seconds) >>>>> TLS session ticket: >>>>> 0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4 >>>>> ]..^z......f.RZ. >>>>> 0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9 >>>>> "..x...9..Lc..M. >>>>> >>>>> Start Time: 1657903105 >>>>> Timeout : 7200 (sec) >>>>> Verify return code: 0 (ok) >>>>> Extended master secret: no >>>>> Max Early Data: 0 >>>>> --- >>>>> read R BLOCK >>>>> closed >>>>> >>>>> Mark Brethen >>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>> >>>>> >>>>> >>>>>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.bret...@gmail.com >>>>>> <mailto:mark.bret...@gmail.com>> wrote: >>>>>> >>>>>> On the Imac (OS 11.6.7): >>>>>> >>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem >>>>>> >>>>>> ~ $ /usr/bin/curl --version >>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) >>>>>> LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0 >>>>>> Release-Date: 2019-03-27 >>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps >>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp >>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile >>>>>> libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets >>>>>> >>>>>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz >>>>>> https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz >>>>>> <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz> >>>>>> % Total % Received % Xferd Average Speed Time Time Time >>>>>> Current >>>>>> Dload Upload Total Spent Left >>>>>> Speed >>>>>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- >>>>>> 0* Trying 62.141.177.111... >>>>>> * TCP_NODELAY set >>>>>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) >>>>>> port 443 (#0) >>>>>> * ALPN, offering h2 >>>>>> * ALPN, offering http/1.1 >>>>>> * successfully set certificate verify locations: >>>>>> * CAfile: /etc/ssl/cert.pem >>>>>> CApath: none >>>>>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >>>>>> } [228 bytes data] >>>>>> * TLSv1.2 (IN), TLS handshake, Server hello (2): >>>>>> { [104 bytes data] >>>>>> * TLSv1.2 (IN), TLS handshake, Certificate (11): >>>>>> { [5152 bytes data] >>>>>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >>>>>> { [556 bytes data] >>>>>> * TLSv1.2 (IN), TLS handshake, Server finished (14): >>>>>> { [4 bytes data] >>>>>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >>>>>> } [37 bytes data] >>>>>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >>>>>> } [1 bytes data] >>>>>> * TLSv1.2 (OUT), TLS handshake, Finished (20): >>>>>> } [16 bytes data] >>>>>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>>>>> { [1 bytes data] >>>>>> * TLSv1.2 (IN), TLS handshake, Finished (20): >>>>>> { [16 bytes data] >>>>>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 >>>>>> * ALPN, server accepted to use http/1.1 >>>>>> * Server certificate: >>>>>> * subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; >>>>>> OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); >>>>>> OU=RT; CN=www.wias-berlin.de <http://www.wias-berlin.de/> >>>>>> * start date: Aug 4 13:43:33 2021 GMT >>>>>> * expire date: Sep 4 13:43:33 2022 GMT >>>>>> * subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" >>>>>> matched cert's "wias-berlin.de <http://wias-berlin.de/>" >>>>>> * issuer: C=DE; O=Verein zur Foerderung eines Deutschen >>>>>> Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA >>>>>> * SSL certificate verify ok. >>>>>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1 >>>>>>> Host: wias-berlin.de <http://wias-berlin.de/> >>>>>>> User-Agent: curl/7.64.1 >>>>>>> Accept: */* >>>>>>> >>>>>> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- >>>>>> 0< HTTP/1.1 200 OK >>>>>> < Date: Fri, 15 Jul 2022 15:43:03 GMT >>>>>> < Server: Apache-Coyote/1.1 >>>>>> < Strict-Transport-Security: max-age=63072000 >>>>>> < Accept-Ranges: bytes >>>>>> < ETag: W/"282433-1534863100000" >>>>>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT >>>>>> < Content-Type: application/x-gzip >>>>>> < Content-Length: 282433 >>>>>> < >>>>>> { [7906 bytes data] >>>>>> 100 275k 100 275k 0 0 156k 0 0:00:01 0:00:01 --:--:-- >>>>>> 156k >>>>>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left >>>>>> intact >>>>>> * Closing connection 0 >>>>>> >>>>>> Mark Brethen >>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>> >>>>>> >>>>>> >>>>>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 15/07/2022 4:16 pm, Mark Brethen wrote: >>>>>>>> cert.perm has the same date >>>>>>> >>>>>>> very surprised ... >>>>>>> >>>>>>> and..... does the curl fetch also fail ? >>>>>>> >>>>>>>> Mark Brethen >>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote: >>>>>>>>>> I checked big sur on my iMac, which came installed with big sur. It >>>>>>>>>> also has version 7.64.1. >>>>>>>>> >>>>>>>>> how old is the cert.pem file though ? >>>>>>>>> >>>>>>>>> Does the fetch using /usr/bin/curl work there or not ? >>>>>>>>> >>>>>>>>> I’m surprised macports is using the native curl. Apple is notorious >>>>>>>>> for not updating to the latest versions of software with each new OS. >>>>>>>>>> Mark Brethen >>>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote: >>>>>>>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem >>>>>>>>>>> >>>>>>>>>>> The above could be your problem, as that is very old, 2.5 years or >>>>>>>>>>> so now. It actually pre-dates the public release of macOS 11, which >>>>>>>>>>> wasn't until November that year, which makes it quite suspicious... >>>>>>>>>>> >>>>>>>>>>> In comparison mine is from May this year, on macOS12. I would >>>>>>>>>>> imagine the same on macOS 11 to be much more up to date than the >>>>>>>>>>> above. >>>>>>>>>>> >>>>>>>>>>> This could be some relic of your big update from OSX10.13 to >>>>>>>>>>> macOS11... >>>>>>>>>>> >>>>>>>>>>> So, I am not sure how, but you need the above to be updated I >>>>>>>>>>> believe... >>>>>>>>>>> >>>>>>>>>>> Have you checked system update to make sure you are fully up to >>>>>>>>>>> date ? >>>>>>>>>>> >>>>>>>>>>> Chris >>>>>>>>>>> >>>>>>>>>>>> ~ $ /usr/bin/curl --version >>>>>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 >>>>>>>>>>>> (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0 >>>>>>>>>>>> Release-Date: 2019-03-27 >>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap >>>>>>>>>>>> ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp >>>>>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos >>>>>>>>>>>> Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets >>>>>>>>>>>> Mark Brethen >>>>>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>>>>> <mailto:mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>> >>>>>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones >>>>>>>>>>>>> <jon...@hep.phy.cam.ac.uk <mailto:jon...@hep.phy.cam.ac.uk> >>>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk >>>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> /etc/ssl/cert.pem >>>>>> >>>>> >>>> >>> >> >
smime.p7s
Description: S/MIME cryptographic signature