[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version

MacPorts noreply at macports.org
Wed Aug 3 12:13:29 UTC 2022 

#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
  Reporter:  ryandesign   |      Owner:  macports-tickets@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:  MacPorts Future
 Component:  base         |    Version:
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------------------

Comment (by tomio-arisaka):

 For example, Ghostscript cannot be built with MacPorts on both High-Sierra
 and Tiger.

 On macOS High Sierra, "/usr/bin/curl" cannot download particular files due
 to the expired certificate.


 {{{
 $ /usr/bin/curl --version
 curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20
 zlib/1.2.11 nghttp2/1.24.0
 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
 pop3s rtsp smb smbs smtp smtps telnet tftp
 Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
 SSL libz HTTP2 UnixSockets HTTPS-proxy
 $
 $ /usr/bin/curl -LOR https://sourceforge.net/projects/gs-fonts/files/gs-
 fonts/6.0%20%28misc%2C%20AFPL%29/ghostscript-fonts-other-6.0.tar.gz
   % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                  Dload  Upload   Total   Spent    Left
 Speed
 100   806    0   806    0     0   3317      0 --:--:-- --:--:-- --:--:--
 3330
 100   834    0   834    0     0   2071      0 --:--:-- --:--:-- --:--:--
 0
 100  1067    0  1067    0     0   1884      0 --:--:-- --:--:-- --:--:--
 1884
   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
 0
 curl: (60) SSL certificate problem: certificate has expired
 More details here: https://curl.haxx.se/docs/sslcerts.html

 curl performs SSL certificate verification by default, using a "bundle"
  of Certificate Authority (CA) public keys (CA certs). If the default
  bundle file isn't adequate, you can specify an alternate file
  using the --cacert option.
 If this HTTPS server uses a certificate signed by a CA represented in
  the bundle, the certificate verification probably failed due to a
  problem with the certificate (it might be expired, or the name might
  not match the domain name in the URL).
 If you'd like to turn off curl's verification of the certificate, use
  the -k (or --insecure) option.
 HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
 }}}


 On Mac OS X Tiger PPC, "/usr/bin/curl" cannot download any files with SSL
 due to the old version of curl.



 {{{
 $ /usr/bin/curl --version
 curl 7.16.3 (powerpc-apple-darwin8.0) libcurl/7.16.3 OpenSSL/0.9.7l
 zlib/1.2.3
 Protocols: tftp ftp telnet dict ldap http file https ftps
 Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
 $
 $ /usr/bin/curl -LOR https://sourceforge.net/projects/gs-fonts/files/gs-
 fonts/6.0%20%28misc%2C%20AFPL%29/ghostscript-fonts-other-6.0.tar.gz

 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
 handshake failure
 $
 $ /usr/bin/curl -v -I https://sourceforge.net/projects/gs-fonts/files/gs-
 fonts/6.0%20%28misc%2C%20AFPL%29/ghostscript-fonts-other-6.0.tar.gz
 * About to connect() to sourceforge.net port 443 (#0)
 *   Trying 172.64.153.13... connected
 * Connected to sourceforge.net (172.64.153.13) port 443 (#0)
 * successfully set certificate verify locations:
 *   CAfile: /usr/share/curl/curl-ca-bundle.crt
   CApath: none
 * SSLv2, Client hello (1):
 * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
 failure
 * Closing connection #0
 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
 handshake failure
 }}}




 My simple resolution is to add fetch phase in order to use the latest
 version of curl:



 {{{
 if {${os.major} < 18} {
     depends_build-append    port:curl

     fetch {
         if { [file isfile "${distpath}/ghostscript-fonts-
 other-6.0.tar.gz"] == 0 } then {
             system -W ${distpath} "curl -LOR
 https://sourceforge.net/projects/gs-fonts/files/gs-
 fonts/6.0%20%28misc%2C%20AFPL%29/ghostscript-fonts-other-6.0.tar.gz"
         }
         ...
         ...
     }
 }
 }}}

-- 
Ticket URL: <https://trac.macports.org/ticket/51516#comment:95>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list