fetch timeout

Fri Jul 15 18:32:45 UTC 2022

Heck if I know what’s wrong. Everything being equal, curl on the iMac works, but on the MacBook Air it does not. Both have the same OS, same curl version at /usr/bin, same cert.pem.

Mark Brethen
mark.brethen at gmail.com

> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.brethen at gmail.com> wrote:
> 
> On the MacBook Air openssl is able to get the certificate
> 
> Downloads $ openssl s_client -connect wias-berlin.de:443 <http://wias-berlin.de:443/>
> CONNECTED(00000005)
> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
> verify return:1
> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
> verify return:1
> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
> verify return:1
> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
> verify return:1
> ---
> Certificate chain
>  0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>    i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
>    v:NotBefore: Aug  4 13:43:33 2021 GMT; NotAfter: Sep  4 13:43:33 2022 GMT
>  1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>    i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>    v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
>  2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>    i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>    v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> <clip>
> -----END CERTIFICATE-----
> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
> issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 5958 bytes and written 400 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_AES_256_GCM_SHA384
>     Session-ID: 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A
>     Session-ID-ctx: 
>     Resumption PSK: A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07   ..o.tMd.d3..L=W.
>     0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9   .U.)..|Xz..H.z..
> 
>     Start Time: 1657903105
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
>     Max Early Data: 0
> ---
> read R BLOCK
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_AES_256_GCM_SHA384
>     Session-ID: 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70
>     Session-ID-ctx: 
>     Resumption PSK: D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4   ]..^z......f.RZ.
>     0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9   "..x...9..Lc..M.
> 
>     Start Time: 1657903105
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
>     Max Early Data: 0
> ---
> read R BLOCK
> closed
> 
> Mark Brethen
> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
> 
> 
> 
>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>> 
>> On the Imac (OS 11.6.7):
>> 
>> -rw-r--r--   1 root  wheel  346545 Jan  1  2020 cert.pem
>> 
>> ~ $ /usr/bin/curl --version
>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>> Release-Date: 2019-03-27
>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>> 
>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz>
>>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>>                                 Dload  Upload   Total   Spent    Left  Speed
>>  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 62.141.177.111...
>> * TCP_NODELAY set
>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) port 443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/cert.pem
>>  CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> } [228 bytes data]
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> { [104 bytes data]
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> { [5152 bytes data]
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> { [556 bytes data]
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> { [4 bytes data]
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> } [37 bytes data]
>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>> } [1 bytes data]
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> } [16 bytes data]
>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
>> { [1 bytes data]
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> { [16 bytes data]
>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
>> * ALPN, server accepted to use http/1.1
>> * Server certificate:
>> *  subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT; CN=www.wias-berlin.de <http://www.wias-berlin.de/>
>> *  start date: Aug  4 13:43:33 2021 GMT
>> *  expire date: Sep  4 13:43:33 2022 GMT
>> *  subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" matched cert's "wias-berlin.de <http://wias-berlin.de/>"
>> *  issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA
>> *  SSL certificate verify ok.
>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1
>>> Host: wias-berlin.de <http://wias-berlin.de/>
>>> User-Agent: curl/7.64.1
>>> Accept: */*
>>> 
>>  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0< HTTP/1.1 200 OK
>> < Date: Fri, 15 Jul 2022 15:43:03 GMT
>> < Server: Apache-Coyote/1.1
>> < Strict-Transport-Security: max-age=63072000
>> < Accept-Ranges: bytes
>> < ETag: W/"282433-1534863100000"
>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT
>> < Content-Type: application/x-gzip
>> < Content-Length: 282433
>> < 
>> { [7906 bytes data]
>> 100  275k  100  275k    0     0   156k      0  0:00:01  0:00:01 --:--:--  156k
>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left intact
>> * Closing connection 0
>> 
>> Mark Brethen
>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>> 
>> 
>> 
>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>> 
>>> 
>>> 
>>> On 15/07/2022 4:16 pm, Mark Brethen wrote:
>>>> cert.perm has the same date
>>> 
>>> very surprised ...
>>> 
>>> and..... does the curl fetch also fail ?
>>> 
>>>> Mark Brethen
>>>> mark.brethen at gmail.com
>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote:
>>>>>> I checked big sur on my iMac, which came installed with big sur. It also has version 7.64.1.
>>>>> 
>>>>> how old is the cert.pem file though ?
>>>>> 
>>>>> Does the fetch using /usr/bin/curl work there or not ?
>>>>> 
>>>>> I’m surprised macports is using the native curl. Apple is notorious for not updating to the latest versions of software with each new OS.
>>>>>> Mark Brethen
>>>>>> mark.brethen at gmail.com
>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote:
>>>>>>>> -rw-r--r--    1 root  wheel  346545 Jan  1  2020 cert.pem
>>>>>>> 
>>>>>>> The above could be your problem, as that is very old, 2.5 years or so now. It actually pre-dates the public release of macOS 11, which wasn't until November that year, which makes it quite suspicious...
>>>>>>> 
>>>>>>> In comparison mine is from May this year, on macOS12. I would imagine the same on macOS 11 to be much more up to date than the above.
>>>>>>> 
>>>>>>> This could be some relic of your big update from OSX10.13 to macOS11...
>>>>>>> 
>>>>>>> So, I am not sure how, but you need the above to be updated I believe...
>>>>>>> 
>>>>>>> Have you checked system update to make sure you are fully up to date ?
>>>>>>> 
>>>>>>> Chris
>>>>>>> 
>>>>>>>> ~ $ /usr/bin/curl --version
>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>>>> Release-Date: 2019-03-27
>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>>> Mark Brethen
>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>>> 
>>>>>>>>> /etc/ssl/cert.pem
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220715/4b5b3a6d/attachment-0001.htm>