[MacPorts] #47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate

[MacPorts]

#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to
get local issuer certificate
---------------------------+--------------------------
  Reporter:  fabien@…      |      Owner:  ryandesign@…
      Type:  defect        |     Status:  new
  Priority:  Normal        |  Milestone:
 Component:  ports         |    Version:  2.3.3
Resolution:                |   Keywords:
      Port:  curl openssl  |
---------------------------+--------------------------

Comment (by cal@…):

 The problem is that Apple removed a 1024-bit root in Yosemite, that was
 used as a trust anchor for Google's (and possible other sites)
 certificates. Normally, this would not affect certificate validity,
 because one of the intermediate certificates in its chain is not a trusted
 root CA in OS X (in the case of Google, it's GeoTrust Global CA).

 However, OpenSSL before 1.0.2 does not detect this situation as it should
 (by checking whether any of the intermediates is a trusted root CA) and
 always follows the chain of trust to the end. In this situation, it fails
 to verify the certificate, because the end of the chain of certificates is
 actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated
 by `-trusted_first` in `openssl s_client`), but this option needs to be
 enabled by each software separately.

 For curl, see https://www.mail-archive.com/curl-
 library at cool.haxx.se/msg11483.html.
 For python, see http://bugs.python.org/issue23476 (will be part of
 2.7.10).

-- 
Ticket URL: <https://trac.macports.org/ticket/47805#comment:5>
MacPorts <https://www.macports.org/>
Ports system for OS X