[MacPorts] #46539: GitHub fetches fail under OSX 10.5 (and presumably 10.4)
MacPorts
noreply at macports.org
Tue Jan 13 15:13:24 PST 2015
#46539: GitHub fetches fail under OSX 10.5 (and presumably 10.4)
---------------------+--------------------------------
Reporter: fw@… | Owner: macports-tickets@…
Type: defect | Status: new
Priority: Low | Milestone:
Component: base | Version: 2.3.3
Resolution: | Keywords:
Port: |
---------------------+--------------------------------
Comment (by nad@…):
"Here, /System/Library/OpenSSL seems to be empty except for some scripts
under misc/ (in both 10.5 and 10.9). So either Safari and Firefox are
using curl-ca-bundle.crt, or the browsers have their own root CAs
elsewhere."
Neither Safari nor Firefox use the Apple-supplied versions of OpenSSL,
which is basically only there for the benefit of some open source software
shipped with OS X, like Python; note that OpenSSL has officially been
deprecated by Apple as of 10.7. AFAIK, Safari uses certificates from the
system trust store which is maintained in system and user keychains and
uses the OS X native crypto services. The
[https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html#//apple_ref/doc/uid/TP40011172-CH11-SW1
Cryptographic Services Guide] has more info on how this all works; it has
nothing to do with OpenSSL or, in 10.5, curl. And, AFAIK, Firefox
provides its own root CAs and certificate management, independent of the
system trust store. So, yes, as shipped, /System/Library/OpenSSL has no
root certs. It has always (at least, since 10.5) been up to the user to
manually supply and manage these for the benefit of any user- or (the few)
system-supplied apps (like the system Python) that link with the system
OpenSSL libs. As noted above, though, starting in 10.6, the system-
supplied OpenSSL 0.9.8 does have a fallback hook into the system trust
store (via TEA) which may or may not be what the application wants.
But, to summarize, I believe it is the case that if MacPorts base needs to
securely download (TLS) on 10.5 systems from all sources, it will need to
supply its own versions of libssl, libcrypto, and libcurl.
--
Ticket URL: <https://trac.macports.org/ticket/46539#comment:11>
MacPorts <https://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list