Recent OpenSSL changes and CA certs

Zhenfu Shi i0ntempest at macports.org
Wed Oct 13 05:05:58 UTC 2021


The axel port is also affected, it can't download anything that is https after this change.

Zhenfu

> On Oct 13, 2021, at 00:58, Aaron Madlon-Kay <amake at macports.org> wrote:
> 
> Hi all.
> 
> I know there are some important changes being made to the OpenSSL
> ports. Today I updated my ports and now have the following installed:
> 
> % port installed name:openssl
> The following ports are currently installed:
>  openssl @1.1_0 (active)
>  openssl10 @1.0.2u_2 (active)
>  openssl11 @1.1.1l_2 (active)
> 
> Apparently as a result of this, my Ruby environment (managed by rbenv
> + ruby-build, both available as ports) seems to no longer be able to
> connect to HTTPS hosts.
> 
> By some trial and error, I managed to find that symlinking the certs
> installed by the curl-ca-bundle port into the new "real" home of
> OpenSSL solved the problem:
> 
> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt
> /opt/local/libexec/openssl11/etc/openssl/cert.pem
> 
> Can anyone point me to a better solution?
> 
> I note that the Ruby OpenSSL module (built under the old OpenSSL port
> regime) is linked to /opt/local/lib/{libssl,libcrypto}.1.1.dylib. If I
> rebuild Ruby after updating to the new port regime, it is linked to
> /opt/local/libexec/openssl11/lib/{libssl,libcrypto}.1.1.dylib. Either
> way, SSL connections fail unless I symlink cert.pem as above. There
> are no apparent breakages in the linking itself.
> 
> Thanks,
> Aaron



More information about the macports-dev mailing list