Recent OpenSSL changes and CA certs

Chris Jones jonesc at hep.phy.cam.ac.uk
Wed Oct 13 20:16:21 UTC 2021


Ah yes, I know what’s wrong. Cannot right now but will address when I can.

> On 13 Oct 2021, at 4:25 pm, Blair Zajac <blair at orcaware.com> wrote:
> 
> Upgrading from before the latest changes now gets on the openssl port:
> 
> Error: Failed to activate openssl: Image error: /opt/local/etc/openssl/cert.pem is being used by the active curl-ca-bundle port.  Please deactivate this port first, or use 'port -f activate openssl' to force the activation.
> 
> Blair
> 
>> On Oct 13, 2021, at 1:45 AM, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>> 
>> Hi,
>> 
>>>> On 13 Oct 2021, at 9:41 am, Aaron Madlon-Kay <amake at macports.org> wrote:
>>> 
>>> Thanks. Two questions:
>>> 
>>> 1. Is it not a problem that the user may not have curl-ca-bundle
>>> installed? (I guess it would just be a dangling symlink and that's not
>>> a problem?)
>> 
>> I figured a dangling sym. link was no worse than anyway not having the file it pointed at.
>> 
>>> 
>>> 2. Does openssl10 not need the same workaround?
>> 
>> yes, and openssl3. Just doing some test builds on these before pushing them.
>> 
>> Chris
>> 
>>> 
>>> -Aaron
>>> 
>>> On Wed, Oct 13, 2021 at 5:35 PM Christopher Jones
>>> <jonesc at hep.phy.cam.ac.uk> wrote:
>>>> 
>>>> 
>>>> Should be addressed by
>>>> 
>>>> https://github.com/macports/macports-ports/commit/f972290289d1d8370b3ca69554cbcf046c7023fa
>>>> 
>>>> 
>>>> On 13 Oct 2021, at 9:21 am, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>>> 
>>>> 
>>>> Sorry, forget the comment below, read it the wrong way around…
>>>> 
>>>> 
>>>> 
>>>> On 13 Oct 2021, at 9:00 am, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> Howe does
>>>> 
>>>> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>>>> 
>>>> get created, as its not actually part of the openssl11 port itself ?
>>>> 
>>>> Oberon ~/Projects/MacPorts/ports > port contents openssl11 | grep cert.pem
>>>> Oberon ~/Projects/MacPorts/ports >
>>>> 
>>>> Chris
>>>> 
>>>> On 13 Oct 2021, at 5:58 am, Aaron Madlon-Kay <amake at macports.org> wrote:
>>>> 
>>>> Hi all.
>>>> 
>>>> I know there are some important changes being made to the OpenSSL
>>>> ports. Today I updated my ports and now have the following installed:
>>>> 
>>>> % port installed name:openssl
>>>> The following ports are currently installed:
>>>> openssl @1.1_0 (active)
>>>> openssl10 @1.0.2u_2 (active)
>>>> openssl11 @1.1.1l_2 (active)
>>>> 
>>>> Apparently as a result of this, my Ruby environment (managed by rbenv
>>>> + ruby-build, both available as ports) seems to no longer be able to
>>>> connect to HTTPS hosts.
>>>> 
>>>> By some trial and error, I managed to find that symlinking the certs
>>>> installed by the curl-ca-bundle port into the new "real" home of
>>>> OpenSSL solved the problem:
>>>> 
>>>> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt
>>>> /opt/local/libexec/openssl11/etc/openssl/cert.pem
>>>> 
>>>> Can anyone point me to a better solution?
>>>> 
>>>> I note that the Ruby OpenSSL module (built under the old OpenSSL port
>>>> regime) is linked to /opt/local/lib/{libssl,libcrypto}.1.1.dylib. If I
>>>> rebuild Ruby after updating to the new port regime, it is linked to
>>>> /opt/local/libexec/openssl11/lib/{libssl,libcrypto}.1.1.dylib. Either
>>>> way, SSL connections fail unless I symlink cert.pem as above. There
>>>> are no apparent breakages in the linking itself.
>>>> 
>>>> Thanks,
>>>> Aaron
>>>> 
>>>> 
>>>> 
>>>> 
>> 
> 



More information about the macports-dev mailing list