Recent OpenSSL changes and CA certs

Aaron Madlon-Kay amake at macports.org
Wed Oct 13 08:41:45 UTC 2021


Thanks. Two questions:

1. Is it not a problem that the user may not have curl-ca-bundle
installed? (I guess it would just be a dangling symlink and that's not
a problem?)

2. Does openssl10 not need the same workaround?

-Aaron

On Wed, Oct 13, 2021 at 5:35 PM Christopher Jones
<jonesc at hep.phy.cam.ac.uk> wrote:
>
>
> Should be addressed by
>
> https://github.com/macports/macports-ports/commit/f972290289d1d8370b3ca69554cbcf046c7023fa
>
>
> On 13 Oct 2021, at 9:21 am, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>
>
> Sorry, forget the comment below, read it the wrong way around…
>
>
>
> On 13 Oct 2021, at 9:00 am, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>
> Hi,
>
> Howe does
>
> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>
> get created, as its not actually part of the openssl11 port itself ?
>
> Oberon ~/Projects/MacPorts/ports > port contents openssl11 | grep cert.pem
> Oberon ~/Projects/MacPorts/ports >
>
> Chris
>
> On 13 Oct 2021, at 5:58 am, Aaron Madlon-Kay <amake at macports.org> wrote:
>
> Hi all.
>
> I know there are some important changes being made to the OpenSSL
> ports. Today I updated my ports and now have the following installed:
>
> % port installed name:openssl
> The following ports are currently installed:
> openssl @1.1_0 (active)
> openssl10 @1.0.2u_2 (active)
> openssl11 @1.1.1l_2 (active)
>
> Apparently as a result of this, my Ruby environment (managed by rbenv
> + ruby-build, both available as ports) seems to no longer be able to
> connect to HTTPS hosts.
>
> By some trial and error, I managed to find that symlinking the certs
> installed by the curl-ca-bundle port into the new "real" home of
> OpenSSL solved the problem:
>
> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt
> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>
> Can anyone point me to a better solution?
>
> I note that the Ruby OpenSSL module (built under the old OpenSSL port
> regime) is linked to /opt/local/lib/{libssl,libcrypto}.1.1.dylib. If I
> rebuild Ruby after updating to the new port regime, it is linked to
> /opt/local/libexec/openssl11/lib/{libssl,libcrypto}.1.1.dylib. Either
> way, SSL connections fail unless I symlink cert.pem as above. There
> are no apparent breakages in the linking itself.
>
> Thanks,
> Aaron
>
>
>
>


More information about the macports-dev mailing list