[MacPorts] #47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate

MacPorts noreply at macports.org
Sat May 23 10:42:05 PDT 2015


#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to
get local issuer certificate
---------------------------+--------------------------
  Reporter:  fabien@…      |      Owner:  ryandesign@…
      Type:  defect        |     Status:  new
  Priority:  Normal        |  Milestone:
 Component:  ports         |    Version:  2.3.3
Resolution:                |   Keywords:
      Port:  curl openssl  |
---------------------------+--------------------------

Comment (by fabien@…):

 Replying to [comment:5 cal@…]:
 > The problem is that Apple removed a 1024-bit root in Yosemite, that was
 used as a trust anchor for Google's (and possible other sites)
 certificates. Normally, this would not affect certificate validity,
 because one of the intermediate certificates in its chain is not a trusted
 root CA in OS X (in the case of Google, it's GeoTrust Global CA).
 >
 > However, OpenSSL before 1.0.2 does not detect this situation as it
 should (by checking whether any of the intermediates is a trusted root CA)
 and always follows the chain of trust to the end. In this situation, it
 fails to verify the certificate, because the end of the chain of
 certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix
 that (activated by `-trusted_first` in `openssl s_client`), but this
 option needs to be enabled by each software separately.
 >
 > For curl, see https://www.mail-archive.com/curl-
 library at cool.haxx.se/msg11483.html (the thread seems to have ended up
 dead, so we should follow up).
 >

 > For python, see http://bugs.python.org/issue23476 (will be part of
 2.7.10).

 [[BR]]
 Ok, but how can we explain that cUrl works when '''certsync''' is actived,
 and not with '''curl-ca-bundle'''  ?

 {{{
 curl https://www.chronopost.fr/recherchebt-ws-
 cxf/PointRelaisServiceWS?wsdl
 }}}

 Thx,
 Fabien

-- 
Ticket URL: <https://trac.macports.org/ticket/47805#comment:8>
MacPorts <https://www.macports.org/>
Ports system for OS X


More information about the macports-tickets mailing list