Recent OpenSSL changes and CA certs
Zhenfu Shi
i0ntempest at macports.org
Wed Oct 13 05:05:58 UTC 2021
The axel port is also affected, it can't download anything that is https after this change.
Zhenfu
> On Oct 13, 2021, at 00:58, Aaron Madlon-Kay <amake at macports.org> wrote:
>
> Hi all.
>
> I know there are some important changes being made to the OpenSSL
> ports. Today I updated my ports and now have the following installed:
>
> % port installed name:openssl
> The following ports are currently installed:
> openssl @1.1_0 (active)
> openssl10 @1.0.2u_2 (active)
> openssl11 @1.1.1l_2 (active)
>
> Apparently as a result of this, my Ruby environment (managed by rbenv
> + ruby-build, both available as ports) seems to no longer be able to
> connect to HTTPS hosts.
>
> By some trial and error, I managed to find that symlinking the certs
> installed by the curl-ca-bundle port into the new "real" home of
> OpenSSL solved the problem:
>
> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt
> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>
> Can anyone point me to a better solution?
>
> I note that the Ruby OpenSSL module (built under the old OpenSSL port
> regime) is linked to /opt/local/lib/{libssl,libcrypto}.1.1.dylib. If I
> rebuild Ruby after updating to the new port regime, it is linked to
> /opt/local/libexec/openssl11/lib/{libssl,libcrypto}.1.1.dylib. Either
> way, SSL connections fail unless I symlink cert.pem as above. There
> are no apparent breakages in the linking itself.
>
> Thanks,
> Aaron
More information about the macports-dev
mailing list