<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><a href="https://trac.macports.org/ticket/61333" class="">https://trac.macports.org/ticket/61333</a> is an old ticket about mpstats not reporting on Tiger and Leopard. The problem also exists on Snow Leopard (not just certificates there) and as recently as Mojave (certificates). The general solution IMO is that mpstats should depend on the curl port and always use that version of curl and not the OS version. I added a comment to that effect. I don't know how to change the keywords to add later OS versions up through Mojave, though.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 31, 2021, at 07:59, Richard L. Hamilton <<a href="mailto:rlhamil@smart.net" class="">rlhamil@smart.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><span style="font-size: 14px;" class="">I think you're onto something here. (color highlighting added, not in the original output)</span><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ # 10.14</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ /usr/bin/curl -sS <a href="https://ports.macports.org/" class="">https://ports.macports.org</a> >/dev/null</span></font></div><div class=""><font face="Andale Mono" color="#ff2600" class=""><span style="font-style: normal; font-size: 14px;" class="">curl: (60) SSL certificate problem: certificate has expired</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""># lines of advice in error message skipped here</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ /opt/local/bin/curl -sS <a href="https://ports.macports.org/" class="">https://ports.macports.org</a> >/dev/null</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ echo $?</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">0</span></font></div><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><span style="font-size: 14px;" class="">(the expired above isn't surprising since I haven't updated the root certificates on there)</span></div><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><span style="font-size: 14px;" class="">but</span></div><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><div class=""><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ # 10.6</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ /usr/bin/curl -sS <a href="https://ports.macports.org/" class="">https://ports.macports.org/</a> >/dev/null</span></font></div><div class=""><font face="Andale Mono" color="#ff2600" class=""><span style="font-style: normal; font-size: 14px;" class="">curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ /opt/local/bin/curl -sS <a href="https://ports.macports.org/" class="">https://ports.macports.org/</a> >/dev/null</span></font></div><div class=""><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">sh-3.2$ echo $?</span></font></div></div></div><div class=""><span style="font-family: "Andale Mono"; font-size: 14px;" class="">0</span></div><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><span style="font-size: 14px;" class="">On the 10.6, I <i class="">had</i> updated the root certificates...but the error is different; evidently there have been changes to the protocol and/or crypto used that merely updating the certificates does not fix. The MacPorts version of curl still works fine. Note that pointing Safari to that same URL (<a href="https://ports.macports.org/" class="">https://ports.macports.org/</a>) also fails with unable to establish secure connection. So on older systems, EVEN WITH CERTIFICATES UPDATED, browsing with a non-updated browser and/or one that uses system libcrypto will fail for various sites, as will various non-browser software that tries to establish TLS connections using system libcrypto.</span></div><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><span style="font-size: 14px;" class="">So if mpstats is failing on curl, it's not using the MacPorts version of curl. Which certainly would be distorting the stats against the poor suffering older OS version users, even if, knowing they're poor and suffering, they volunteer to provide stats.</span></div><div class=""><span style="font-size: 14px;" class=""><br class=""></span></div><div class=""><span style="font-size: 14px;" class="">IMO, it should check if ${prefix}/bin/curl is present and use it if it is, and only use the default if that isn't present - which in practice probably would never happen, because so many ports ultimately depend on the curl port. Interestingly it did NOT matter if PATH began with /opt/local/bin when mpstats was run, it still found the OS version rather than the MacPorts version.</span></div><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Oct 31, 2021, at 05:37, raf <<a href="mailto:macports@raf.org" class="">macports@raf.org</a>> wrote:</div><div class=""><div class=""><br class=""><br class="">Actually, something looks wierd with macports statistics.<br class=""><br class="">On 10.14:<br class=""><br class=""><blockquote type="cite" class="">/opt/local/libexec/mpstats submit<br class=""></blockquote> Submitting data to <a href="https://ports.macports.org/statistics/submit/" class="">https://ports.macports.org/statistics/submit/</a> ...<br class=""> Error: Peer certificate cannot be authenticated with given CA certificates<br class=""> while executing<br class=""> "curl post "submission\[data\]=$json" $stats_url"<br class=""><br class="">On 10.6:<br class=""><br class=""><blockquote type="cite" class="">/opt/local/libexec/mpstats submit<br class=""></blockquote> Submitting data to <a href="https://ports.macports.org/statistics/submit/" class="">https://ports.macports.org/statistics/submit/</a> ...<br class=""> Error: SSL connect error<br class=""> while executing<br class=""> "curl post "submission\[data\]=$json" $stats_url"<br class=""><br class="">It has a LetsEncrypt certificate but this should work. It should be macport's<br class="">curl that has its own CA bundle.<br class=""><br class="">The certificate chain does still contain "DST Root CA X3". I thought that<br class="">was getting removed.<br class=""><br class="">Anyway, it looks like I didn't manage to fix my system root certificates<br class="">after all, even though "ISRG Root X1" is installed (and "DST Root XA 3" is<br class="">manually trusted just to be extra sure). :-)<br class=""><br class="">/usr/bin/curl is still failing, and for some reason, mpstats must be using<br class="">/usr/bin/curl instead of /opt/local/bin/curl. That doesn't sound possible, but<br class="">that's what it looks like.<br class=""><br class="">According to check_for_app in /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl,<br class="">it looks like the curl that's used is the system one in /usr/bin.<br class=""><br class="">I think that means that macports does require the system root certificates<br class="">to be functional (for some things at least). Is anyone else on old systems<br class="">able to run "/opt/local/libexec/mpstats submit"? I read somewhere that errors<br class="">are silently ignored during automatic submission.<br class=""><br class="">Could this be why <a href="https://ports.macports.org/statistics/" class="">https://ports.macports.org/statistics/</a> shows almost nothing<br class="">for 10.{14,13,8,7,6,5,4}? Or are those numbers accurate?<br class=""><br class="">cheers,<br class="">raf<br class=""><br class=""></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">-- <br class="">eMail:<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="mailto:rlhamil@smart.net" class="">mailto:rlhamil@smart.net</a></div><div class=""><br class=""></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""></div></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div>-- <br class="">eMail:<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="mailto:rlhamil@smart.net" class="">mailto:rlhamil@smart.net</a></div><div><br class=""></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""></body></html>