fetch timeout

Mark Brethen mark.brethen at gmail.com
Mon Jul 18 13:11:13 UTC 2022


There is something fundementally different between the OS 11 install on the intel MacBook vs the M1 iMac. I even wiped clean the MacBook and reinstalled OS 11 and created a new admin account — no third party software installed. Apple's curl failed as before. 

I compared Macport’s curl/openssl on the MacBook (note it is using curl-ca-bundle.crt):

Downloads $ which curl
/opt/local/bin/curl
Downloads $ curl -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 62.141.177.111:443...
* Connected to wias-berlin.de (62.141.177.111) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /opt/local/share/curl/curl-ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [21 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [5159 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT; CN=www.wias-berlin.de
*  start date: Aug  4 13:43:33 2021 GMT
*  expire date: Sep  4 13:43:33 2022 GMT
*  subjectAltName: host "wias-berlin.de" matched cert's "wias-berlin.de"
*  issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1
> Host: wias-berlin.de
> User-Agent: curl/7.84.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 18 Jul 2022 11:54:58 GMT
< Server: Apache-Coyote/1.1
< Strict-Transport-Security: max-age=63072000
< Accept-Ranges: bytes
< ETag: W/"282433-1534863100000"
< Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT
< Content-Type: application/x-gzip
< Content-Length: 282433

/etc/ssl/cert.pem worked as well with curl 7.84.0. Note TLSv1.0 (OUT), TLS header, Certificate Status (22):. I also tried the curl-ca-bundle.crt with Apple’s curl:

Downloads $ /usr/bin/curl --cacert /opt/local/share/curl/curl-ca-bundle.crt -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 62.141.177.111...
* TCP_NODELAY set
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to wias-berlin.de (62.141.177.111) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [228 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [59 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [6122 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert handshake failure
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert handshake failure
 
Chrome has a 'Copy as cURL' feature so you can inspect what the browser is doing:

curl 'https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Cookie: JSESSIONID=45D13EF3D3A2EA7165891DDD8E42CF09' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Sec-Fetch-Mode: navigate' \
  -H 'Sec-Fetch-Site: cross-site' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --compressed

Although it downloaded the file, It noted this error:

Mixed Content: The site at 'https://wias-berlin.de/' was loaded over a secure connection, but the file at 'https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.

So it may have something to do with this host in particular and the curl version, I don’t think it has anything to do with the cert files.



Mark Brethen
mark.brethen at gmail.com



> On Jul 18, 2022, at 3:21 AM, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
> 
> 
> 
>> On 17 Jul 2022, at 7:12 pm, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>> 
>> It’s interesting that curl fails from my older MacBook Air, but passes on the M1 iMac, both with OS 11 installed. Even after a clean reinstall. I suspect it’s something about Apple’s openssl. Browsers don’t seem to mind the certificate.
> 
> No, I very much doubt that is the case. If it where the case if would fail for you on both machines.
> 
>> 
>> As a work around, I’d like to add something like this:
>> 
>> set check.os.major 21
>> if {${check.os.major} > ${os.major}} {
>>     depends_fetch-append curl
>>     fetch {
>>         system "curl -L -o ${distpath}/${distfiles} ${master_sites}${distfiles}"
>>     }
>> }
> 
> It is not appropriate to add that to a port file when the origin of the issue is still not understood, and quite likely something specific to your setup.
> 
> Chris
> 
>> 
>> 
>> 
>> Mark Brethen
>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>> 
>> 
>> 
>>> On Jul 17, 2022, at 8:49 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>> 
>>> I think I’m getting to the root of the problem. I tried to obtain the SSL certificate from the host server using openssl.
>>> 
>>> Downloads $ echo | openssl s_client -servername wias-berlin.de <http://wias-berlin.de/> -connect wias-berlin.de:443 <http://wias-berlin.de:443/> |\                                                                    
>>>   sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
>>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>>> verify return:1
>>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>> verify return:1
>>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>> verify return:1
>>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>> verify return:1
>>> 4479426220:error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
>>> 4479426220:error:140080E5:SSL routines:CONNECT_CR_KEY_EXCH:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:585:
>>> 
>>> 
>>> I don’t get this error on the iMac with the same OS, same openssl versions.
>>> 
>>> Mark
>>> 
>>> 
>>> 
>>>> On Jul 15, 2022, at 1:44 PM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>> 
>>>> Maybe it’s openssl in /opt/local/bin? On the MacBook Air:
>>>> 
>>>> ports $ which openssl
>>>> /opt/local/bin/openssl
>>>> ports $ openssl version
>>>> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
>>>> 
>>>> The iMac has /opt/local/bin/openssl 1.1.1
>>>> 
>>>> /usr/bin/openssl is libressl 2.8.3 for both.
>>>> 
>>>> 
>>>> Mark Brethen
>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>> 
>>>> 
>>>> 
>>>>> On Jul 15, 2022, at 1:32 PM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>>> 
>>>>> Heck if I know what’s wrong. Everything being equal, curl on the iMac works, but on the MacBook Air it does not. Both have the same OS, same curl version at /usr/bin, same cert.pem.
>>>>> 
>>>>> 
>>>>> Mark Brethen
>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>>>> 
>>>>>> On the MacBook Air openssl is able to get the certificate
>>>>>> 
>>>>>> Downloads $ openssl s_client -connect wias-berlin.de:443 <http://wias-berlin.de:443/>
>>>>>> CONNECTED(00000005)
>>>>>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>>>>>> verify return:1
>>>>>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>>> verify return:1
>>>>>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>>> verify return:1
>>>>>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>>> verify return:1
>>>>>> ---
>>>>>> Certificate chain
>>>>>>  0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>>>    i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>>>    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
>>>>>>    v:NotBefore: Aug  4 13:43:33 2021 GMT; NotAfter: Sep  4 13:43:33 2022 GMT
>>>>>>  1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>>>    i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>>>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>>>>>>    v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
>>>>>>  2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
>>>>>>    i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
>>>>>>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>>>>>>    v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
>>>>>> ---
>>>>>> Server certificate
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> <clip>
>>>>>> -----END CERTIFICATE-----
>>>>>> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>>> issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
>>>>>> ---
>>>>>> No client certificate CA names sent
>>>>>> Peer signing digest: SHA256
>>>>>> Peer signature type: RSA-PSS
>>>>>> Server Temp Key: X25519, 253 bits
>>>>>> ---
>>>>>> SSL handshake has read 5958 bytes and written 400 bytes
>>>>>> Verification: OK
>>>>>> ---
>>>>>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>>>>>> Server public key is 4096 bit
>>>>>> Secure Renegotiation IS NOT supported
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> No ALPN negotiated
>>>>>> Early data was not sent
>>>>>> Verify return code: 0 (ok)
>>>>>> ---
>>>>>> ---
>>>>>> Post-Handshake New Session Ticket arrived:
>>>>>> SSL-Session:
>>>>>>     Protocol  : TLSv1.3
>>>>>>     Cipher    : TLS_AES_256_GCM_SHA384
>>>>>>     Session-ID: 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A
>>>>>>     Session-ID-ctx: 
>>>>>>     Resumption PSK: A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C
>>>>>>     PSK identity: None
>>>>>>     PSK identity hint: None
>>>>>>     SRP username: None
>>>>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>>>>     TLS session ticket:
>>>>>>     0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07   ..o.tMd.d3..L=W.
>>>>>>     0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9   .U.)..|Xz..H.z..
>>>>>> 
>>>>>>     Start Time: 1657903105
>>>>>>     Timeout   : 7200 (sec)
>>>>>>     Verify return code: 0 (ok)
>>>>>>     Extended master secret: no
>>>>>>     Max Early Data: 0
>>>>>> ---
>>>>>> read R BLOCK
>>>>>> ---
>>>>>> Post-Handshake New Session Ticket arrived:
>>>>>> SSL-Session:
>>>>>>     Protocol  : TLSv1.3
>>>>>>     Cipher    : TLS_AES_256_GCM_SHA384
>>>>>>     Session-ID: 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70
>>>>>>     Session-ID-ctx: 
>>>>>>     Resumption PSK: D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A
>>>>>>     PSK identity: None
>>>>>>     PSK identity hint: None
>>>>>>     SRP username: None
>>>>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>>>>     TLS session ticket:
>>>>>>     0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4   ]..^z......f.RZ.
>>>>>>     0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9   "..x...9..Lc..M.
>>>>>> 
>>>>>>     Start Time: 1657903105
>>>>>>     Timeout   : 7200 (sec)
>>>>>>     Verify return code: 0 (ok)
>>>>>>     Extended master secret: no
>>>>>>     Max Early Data: 0
>>>>>> ---
>>>>>> read R BLOCK
>>>>>> closed
>>>>>> 
>>>>>> Mark Brethen
>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>> wrote:
>>>>>>> 
>>>>>>> On the Imac (OS 11.6.7):
>>>>>>> 
>>>>>>> -rw-r--r--   1 root  wheel  346545 Jan  1  2020 cert.pem
>>>>>>> 
>>>>>>> ~ $ /usr/bin/curl --version
>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>>> Release-Date: 2019-03-27
>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>> 
>>>>>>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz>
>>>>>>>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>>>>>>>                                 Dload  Upload   Total   Spent    Left  Speed
>>>>>>>  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 62.141.177.111...
>>>>>>> * TCP_NODELAY set
>>>>>>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) port 443 (#0)
>>>>>>> * ALPN, offering h2
>>>>>>> * ALPN, offering http/1.1
>>>>>>> * successfully set certificate verify locations:
>>>>>>> *   CAfile: /etc/ssl/cert.pem
>>>>>>>  CApath: none
>>>>>>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>>>>>>> } [228 bytes data]
>>>>>>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>>>>>>> { [104 bytes data]
>>>>>>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>>>>>>> { [5152 bytes data]
>>>>>>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>>>>>>> { [556 bytes data]
>>>>>>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>>>>>>> { [4 bytes data]
>>>>>>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>>>>>>> } [37 bytes data]
>>>>>>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>>>>>>> } [1 bytes data]
>>>>>>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>>>>>>> } [16 bytes data]
>>>>>>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
>>>>>>> { [1 bytes data]
>>>>>>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>>>>>>> { [16 bytes data]
>>>>>>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
>>>>>>> * ALPN, server accepted to use http/1.1
>>>>>>> * Server certificate:
>>>>>>> *  subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT; CN=www.wias-berlin.de <http://www.wias-berlin.de/>
>>>>>>> *  start date: Aug  4 13:43:33 2021 GMT
>>>>>>> *  expire date: Sep  4 13:43:33 2022 GMT
>>>>>>> *  subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" matched cert's "wias-berlin.de <http://wias-berlin.de/>"
>>>>>>> *  issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA
>>>>>>> *  SSL certificate verify ok.
>>>>>>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1
>>>>>>>> Host: wias-berlin.de <http://wias-berlin.de/>
>>>>>>>> User-Agent: curl/7.64.1
>>>>>>>> Accept: */*
>>>>>>>> 
>>>>>>>  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0< HTTP/1.1 200 OK
>>>>>>> < Date: Fri, 15 Jul 2022 15:43:03 GMT
>>>>>>> < Server: Apache-Coyote/1.1
>>>>>>> < Strict-Transport-Security: max-age=63072000
>>>>>>> < Accept-Ranges: bytes
>>>>>>> < ETag: W/"282433-1534863100000"
>>>>>>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT
>>>>>>> < Content-Type: application/x-gzip
>>>>>>> < Content-Length: 282433
>>>>>>> < 
>>>>>>> { [7906 bytes data]
>>>>>>> 100  275k  100  275k    0     0   156k      0  0:00:01  0:00:01 --:--:--  156k
>>>>>>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left intact
>>>>>>> * Closing connection 0
>>>>>>> 
>>>>>>> Mark Brethen
>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 15/07/2022 4:16 pm, Mark Brethen wrote:
>>>>>>>>> cert.perm has the same date
>>>>>>>> 
>>>>>>>> very surprised ...
>>>>>>>> 
>>>>>>>> and..... does the curl fetch also fail ?
>>>>>>>> 
>>>>>>>>> Mark Brethen
>>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote:
>>>>>>>>>>> I checked big sur on my iMac, which came installed with big sur. It also has version 7.64.1.
>>>>>>>>>> 
>>>>>>>>>> how old is the cert.pem file though ?
>>>>>>>>>> 
>>>>>>>>>> Does the fetch using /usr/bin/curl work there or not ?
>>>>>>>>>> 
>>>>>>>>>> I’m surprised macports is using the native curl. Apple is notorious for not updating to the latest versions of software with each new OS.
>>>>>>>>>>> Mark Brethen
>>>>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>
>>>>>>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote:
>>>>>>>>>>>>> -rw-r--r--    1 root  wheel  346545 Jan  1  2020 cert.pem
>>>>>>>>>>>> 
>>>>>>>>>>>> The above could be your problem, as that is very old, 2.5 years or so now. It actually pre-dates the public release of macOS 11, which wasn't until November that year, which makes it quite suspicious...
>>>>>>>>>>>> 
>>>>>>>>>>>> In comparison mine is from May this year, on macOS12. I would imagine the same on macOS 11 to be much more up to date than the above.
>>>>>>>>>>>> 
>>>>>>>>>>>> This could be some relic of your big update from OSX10.13 to macOS11...
>>>>>>>>>>>> 
>>>>>>>>>>>> So, I am not sure how, but you need the above to be updated I believe...
>>>>>>>>>>>> 
>>>>>>>>>>>> Have you checked system update to make sure you are fully up to date ?
>>>>>>>>>>>> 
>>>>>>>>>>>> Chris
>>>>>>>>>>>> 
>>>>>>>>>>>>> ~ $ /usr/bin/curl --version
>>>>>>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>>>>>>>>> Release-Date: 2019-03-27
>>>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>>>>>>>> Mark Brethen
>>>>>>>>>>>>> mark.brethen at gmail.com <mailto:mark.brethen at gmail.com> <mailto:mark.brethen at gmail.com <mailto:mark.brethen at gmail.com>>
>>>>>>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones <jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk> <mailto:jonesc at hep.phy.cam.ac.uk <mailto:jonesc at hep.phy.cam.ac.uk>>> wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> /etc/ssl/cert.pem
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220718/0f1e8ff2/attachment-0001.htm>


More information about the macports-dev mailing list