fetch timeout
Christopher Jones
jonesc at hep.phy.cam.ac.uk
Mon Jul 18 08:21:08 UTC 2022
> On 17 Jul 2022, at 7:12 pm, Mark Brethen <mark.brethen at gmail.com> wrote:
>
> It’s interesting that curl fails from my older MacBook Air, but passes on the M1 iMac, both with OS 11 installed. Even after a clean reinstall. I suspect it’s something about Apple’s openssl. Browsers don’t seem to mind the certificate.
No, I very much doubt that is the case. If it where the case if would fail for you on both machines.
>
> As a work around, I’d like to add something like this:
>
> set check.os.major 21
> if {${check.os.major} > ${os.major}} {
> depends_fetch-append curl
> fetch {
> system "curl -L -o ${distpath}/${distfiles} ${master_sites}${distfiles}"
> }
> }
It is not appropriate to add that to a port file when the origin of the issue is still not understood, and quite likely something specific to your setup.
Chris
>
>
>
> Mark Brethen
> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>
>
>
>> On Jul 17, 2022, at 8:49 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>
>> I think I’m getting to the root of the problem. I tried to obtain the SSL certificate from the host server using openssl.
>>
>> Downloads $ echo | openssl s_client -servername wias-berlin.de <http://wias-berlin.de/> -connect wias-berlin.de:443 <http://wias-berlin.de:443/> |\
>> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>> verify return:1
>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>> verify return:1
>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>> verify return:1
>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>> verify return:1
>> 4479426220:error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
>> 4479426220:error:140080E5:SSL routines:CONNECT_CR_KEY_EXCH:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:585:
>>
>>
>> I don’t get this error on the iMac with the same OS, same openssl versions.
>>
>> Mark
>>
>>
>>
>>> On Jul 15, 2022, at 1:44 PM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>
>>> Maybe it’s openssl in /opt/local/bin? On the MacBook Air:
>>>
>>> ports $ which openssl
>>> /opt/local/bin/openssl
>>> ports $ openssl version
>>> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
>>>
>>> The iMac has /opt/local/bin/openssl 1.1.1
>>>
>>> /usr/bin/openssl is libressl 2.8.3 for both.
>>>
>>>
>>> Mark Brethen
>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>
>>>
>>>
>>>> On Jul 15, 2022, at 1:32 PM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>>
>>>> Heck if I know what’s wrong. Everything being equal, curl on the iMac works, but on the MacBook Air it does not. Both have the same OS, same curl version at /usr/bin, same cert.pem.
>>>>
>>>>
>>>> Mark Brethen
>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>
>>>>
>>>>
>>>>> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>>>
>>>>> On the MacBook Air openssl is able to get the certificate
>>>>>
>>>>> Downloads $ openssl s_client -connect wias-berlin.de:443 <http://wias-berlin.de:443/>
>>>>> CONNECTED(00000005)
>>>>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>>>>> verify return:1
>>>>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>> verify return:1
>>>>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>> verify return:1
>>>>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>> verify return:1
>>>>> ---
>>>>> Certificate chain
>>>>> 0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>> a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
>>>>> v:NotBefore: Aug 4 13:43:33 2021 GMT; NotAfter: Sep 4 13:43:33 2022 GMT
>>>>> 1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>>>>> v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
>>>>> 2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>> i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>>>>> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>>>>> v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
>>>>> ---
>>>>> Server certificate
>>>>> -----BEGIN CERTIFICATE-----
>>>>> <clip>
>>>>> -----END CERTIFICATE-----
>>>>> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>> issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> Peer signing digest: SHA256
>>>>> Peer signature type: RSA-PSS
>>>>> Server Temp Key: X25519, 253 bits
>>>>> ---
>>>>> SSL handshake has read 5958 bytes and written 400 bytes
>>>>> Verification: OK
>>>>> ---
>>>>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>>>>> Server public key is 4096 bit
>>>>> Secure Renegotiation IS NOT supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> No ALPN negotiated
>>>>> Early data was not sent
>>>>> Verify return code: 0 (ok)
>>>>> ---
>>>>> ---
>>>>> Post-Handshake New Session Ticket arrived:
>>>>> SSL-Session:
>>>>> Protocol : TLSv1.3
>>>>> Cipher : TLS_AES_256_GCM_SHA384
>>>>> Session-ID: 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A
>>>>> Session-ID-ctx:
>>>>> Resumption PSK: A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C
>>>>> PSK identity: None
>>>>> PSK identity hint: None
>>>>> SRP username: None
>>>>> TLS session ticket lifetime hint: 300 (seconds)
>>>>> TLS session ticket:
>>>>> 0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07 ..o.tMd.d3..L=W.
>>>>> 0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9 .U.)..|Xz..H.z..
>>>>>
>>>>> Start Time: 1657903105
>>>>> Timeout : 7200 (sec)
>>>>> Verify return code: 0 (ok)
>>>>> Extended master secret: no
>>>>> Max Early Data: 0
>>>>> ---
>>>>> read R BLOCK
>>>>> ---
>>>>> Post-Handshake New Session Ticket arrived:
>>>>> SSL-Session:
>>>>> Protocol : TLSv1.3
>>>>> Cipher : TLS_AES_256_GCM_SHA384
>>>>> Session-ID: 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70
>>>>> Session-ID-ctx:
>>>>> Resumption PSK: D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A
>>>>> PSK identity: None
>>>>> PSK identity hint: None
>>>>> SRP username: None
>>>>> TLS session ticket lifetime hint: 300 (seconds)
>>>>> TLS session ticket:
>>>>> 0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4 ]..^z......f.RZ.
>>>>> 0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9 "..x...9..Lc..M.
>>>>>
>>>>> Start Time: 1657903105
>>>>> Timeout : 7200 (sec)
>>>>> Verify return code: 0 (ok)
>>>>> Extended master secret: no
>>>>> Max Early Data: 0
>>>>> ---
>>>>> read R BLOCK
>>>>> closed
>>>>>
>>>>> Mark Brethen
>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>
>>>>>
>>>>>
>>>>>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>>>>
>>>>>> On the Imac (OS 11.6.7):
>>>>>>
>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem
>>>>>>
>>>>>> ~ $ /usr/bin/curl --version
>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>> Release-Date: 2019-03-27
>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>
>>>>>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz>
>>>>>> % Total % Received % Xferd Average Speed Time Time Time Current
>>>>>> Dload Upload Total Spent Left Speed
>>>>>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 62.141.177.111...
>>>>>> * TCP_NODELAY set
>>>>>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) port 443 (#0)
>>>>>> * ALPN, offering h2
>>>>>> * ALPN, offering http/1.1
>>>>>> * successfully set certificate verify locations:
>>>>>> * CAfile: /etc/ssl/cert.pem
>>>>>> CApath: none
>>>>>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>>>>>> } [228 bytes data]
>>>>>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>>>>>> { [104 bytes data]
>>>>>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>>>>>> { [5152 bytes data]
>>>>>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>>>>>> { [556 bytes data]
>>>>>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>>>>>> { [4 bytes data]
>>>>>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>>>>>> } [37 bytes data]
>>>>>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>>>>>> } [1 bytes data]
>>>>>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>>>>>> } [16 bytes data]
>>>>>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
>>>>>> { [1 bytes data]
>>>>>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>>>>>> { [16 bytes data]
>>>>>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
>>>>>> * ALPN, server accepted to use http/1.1
>>>>>> * Server certificate:
>>>>>> * subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT; CN=www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>>> * start date: Aug 4 13:43:33 2021 GMT
>>>>>> * expire date: Sep 4 13:43:33 2022 GMT
>>>>>> * subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" matched cert's "wias-berlin.de <http://wias-berlin.de/>"
>>>>>> * issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA
>>>>>> * SSL certificate verify ok.
>>>>>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1
>>>>>>> Host: wias-berlin.de <http://wias-berlin.de/>
>>>>>>> User-Agent: curl/7.64.1
>>>>>>> Accept: */*
>>>>>>>
>>>>>> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0< HTTP/1.1 200 OK
>>>>>> < Date: Fri, 15 Jul 2022 15:43:03 GMT
>>>>>> < Server: Apache-Coyote/1.1
>>>>>> < Strict-Transport-Security: max-age=63072000
>>>>>> < Accept-Ranges: bytes
>>>>>> < ETag: W/"282433-1534863100000"
>>>>>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT
>>>>>> < Content-Type: application/x-gzip
>>>>>> < Content-Length: 282433
>>>>>> <
>>>>>> { [7906 bytes data]
>>>>>> 100 275k 100 275k 0 0 156k 0 0:00:01 0:00:01 --:--:-- 156k
>>>>>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left intact
>>>>>> * Closing connection 0
>>>>>>
>>>>>> Mark Brethen
>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 15/07/2022 4:16 pm, Mark Brethen wrote:
>>>>>>>> cert.perm has the same date
>>>>>>>
>>>>>>> very surprised ...
>>>>>>>
>>>>>>> and..... does the curl fetch also fail ?
>>>>>>>
>>>>>>>> Mark Brethen
>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote:
>>>>>>>>>> I checked big sur on my iMac, which came installed with big sur. It also has version 7.64.1.
>>>>>>>>>
>>>>>>>>> how old is the cert.pem file though ?
>>>>>>>>>
>>>>>>>>> Does the fetch using /usr/bin/curl work there or not ?
>>>>>>>>>
>>>>>>>>> I’m surprised macports is using the native curl. Apple is notorious for not updating to the latest versions of software with each new OS.
>>>>>>>>>> Mark Brethen
>>>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote:
>>>>>>>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem
>>>>>>>>>>>
>>>>>>>>>>> The above could be your problem, as that is very old, 2.5 years or so now. It actually pre-dates the public release of macOS 11, which wasn't until November that year, which makes it quite suspicious...
>>>>>>>>>>>
>>>>>>>>>>> In comparison mine is from May this year, on macOS12. I would imagine the same on macOS 11 to be much more up to date than the above.
>>>>>>>>>>>
>>>>>>>>>>> This could be some relic of your big update from OSX10.13 to macOS11...
>>>>>>>>>>>
>>>>>>>>>>> So, I am not sure how, but you need the above to be updated I believe...
>>>>>>>>>>>
>>>>>>>>>>> Have you checked system update to make sure you are fully up to date ?
>>>>>>>>>>>
>>>>>>>>>>> Chris
>>>>>>>>>>>
>>>>>>>>>>>> ~ $ /usr/bin/curl --version
>>>>>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>>>>>>>> Release-Date: 2019-03-27
>>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>>>>>>> Mark Brethen
>>>>>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com> <mailto:mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>>
>>>>>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk> <mailto:jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> /etc/ssl/cert.pem
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220718/967c72c0/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1930 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220718/967c72c0/attachment-0001.bin>
More information about the macports-dev
mailing list