Recent OpenSSL changes and CA certs

Christopher Jones jonesc at hep.phy.cam.ac.uk
Wed Oct 13 08:45:11 UTC 2021


Hi,

> On 13 Oct 2021, at 9:41 am, Aaron Madlon-Kay <amake at macports.org> wrote:
> 
> Thanks. Two questions:
> 
> 1. Is it not a problem that the user may not have curl-ca-bundle
> installed? (I guess it would just be a dangling symlink and that's not
> a problem?)

I figured a dangling sym. link was no worse than anyway not having the file it pointed at.

> 
> 2. Does openssl10 not need the same workaround?

yes, and openssl3. Just doing some test builds on these before pushing them.

Chris

> 
> -Aaron
> 
> On Wed, Oct 13, 2021 at 5:35 PM Christopher Jones
> <jonesc at hep.phy.cam.ac.uk> wrote:
>> 
>> 
>> Should be addressed by
>> 
>> https://github.com/macports/macports-ports/commit/f972290289d1d8370b3ca69554cbcf046c7023fa
>> 
>> 
>> On 13 Oct 2021, at 9:21 am, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>> 
>> 
>> Sorry, forget the comment below, read it the wrong way around…
>> 
>> 
>> 
>> On 13 Oct 2021, at 9:00 am, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>> 
>> Hi,
>> 
>> Howe does
>> 
>> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>> 
>> get created, as its not actually part of the openssl11 port itself ?
>> 
>> Oberon ~/Projects/MacPorts/ports > port contents openssl11 | grep cert.pem
>> Oberon ~/Projects/MacPorts/ports >
>> 
>> Chris
>> 
>> On 13 Oct 2021, at 5:58 am, Aaron Madlon-Kay <amake at macports.org> wrote:
>> 
>> Hi all.
>> 
>> I know there are some important changes being made to the OpenSSL
>> ports. Today I updated my ports and now have the following installed:
>> 
>> % port installed name:openssl
>> The following ports are currently installed:
>> openssl @1.1_0 (active)
>> openssl10 @1.0.2u_2 (active)
>> openssl11 @1.1.1l_2 (active)
>> 
>> Apparently as a result of this, my Ruby environment (managed by rbenv
>> + ruby-build, both available as ports) seems to no longer be able to
>> connect to HTTPS hosts.
>> 
>> By some trial and error, I managed to find that symlinking the certs
>> installed by the curl-ca-bundle port into the new "real" home of
>> OpenSSL solved the problem:
>> 
>> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt
>> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>> 
>> Can anyone point me to a better solution?
>> 
>> I note that the Ruby OpenSSL module (built under the old OpenSSL port
>> regime) is linked to /opt/local/lib/{libssl,libcrypto}.1.1.dylib. If I
>> rebuild Ruby after updating to the new port regime, it is linked to
>> /opt/local/libexec/openssl11/lib/{libssl,libcrypto}.1.1.dylib. Either
>> way, SSL connections fail unless I symlink cert.pem as above. There
>> are no apparent breakages in the linking itself.
>> 
>> Thanks,
>> Aaron
>> 
>> 
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1930 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20211013/9cd7134c/attachment.bin>


More information about the macports-dev mailing list