fetch timeout

Nils Breunese nils at breun.nl
Wed Jul 20 05:11:28 UTC 2022 

Dave Allured - NOAA Affiliate via macports-dev <macports-dev at lists.macports.org> wrote:

> Several of us have now reproduced the SSL problem.  I see two things in common:
> (1)  Older curl/SSL versions bundled into older MacOS versions, such as Catalina.
> (2)  The target website, wias-berlin.de.
> 
> I suspect wias-berlin.de is misconfigured somehow.  Mark, consider showing this problem to them, and ask them to check their server configuration.

According to SSL Labs their server configuration is pretty good: https://www.ssllabs.com/ssltest/analyze.html?d=wias-berlin.de&hideResults=on reports an A-. The main remark in the report is that the server doesn’t support Secure Renegotiation, which causes the grade to be reduced to A-.

The server supports TLS 1.2 and 1.3 only. Not supporting broken SSL/TLS versions is generally a good thing from a security perspective, but might leave older clients unable to connect. E.g. macports.org also only supports TLS 1.2 and 1.3. As far as I know not supporting a compatible TLS version would have resulted in a message saying so, so I guess that is not the issue.

The report for wias-berlin.de does show a couple of SSL handshake failures for simulated clients:

* Chrome 67 / Win 7
* Firefox 62 / Win 7
* Googlebot Feb 2018
* IE 11 / Win Phone 8.1
* Edge 15-18 / Win 10
* OpenSSL 1.1.0k (but the older 1.0.1l and 1.0.2s and the newer 1.1.1c are ok!)
* Safari 6 / iOS 6.0.1
* Safari 7 / iOS 7.1
* Safari 7 / OS X 10.9
* Safari 8 / iOS 8.4
* Safari 8 / OS X 10.10 (tested version of Safari 9 and later are ok)

SSL Labs doesn’t seem to be testing any versions of LibreSSL for the simulated handshake test, but I do find it remarkable that OpenSSL 1.1.0k fails, while both older (1.0.1l, 1.0.2s) and newer (1.1.1c) versions of OpenSSL succeed.

All of the simulated handshakes that failed for wias-berlin.de do succeed for macports.org. I don’t know if these handshake failures are caused by the server not offering any cipher suites supported by the client.

You could indeed try to contact the admin for wias-berlin.de to tell them that downloads from their domain are not working on macOS 11 Intel’s curl if that’s been established, and see if they know what to do (and care enough) to fix that.

The only other fix seems switching out the client for one that works (e.g. MacPorts curl).

Nils.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220720/c3b9f879/attachment-0001.htm>

More information about the macports-dev mailing list