provide latest OS root certificates via port?

Richard L. Hamilton rlhamil at smart.net
Sun Oct 31 13:56:18 UTC 2021


https://trac.macports.org/ticket/61333 <https://trac.macports.org/ticket/61333> is an old ticket about mpstats not reporting on Tiger and Leopard. The problem also exists on Snow Leopard (not just certificates there) and as recently as Mojave (certificates). The general solution IMO is that mpstats should depend on the curl port and always use that version of curl and not the OS version. I added a comment to that effect. I don't know how to change the keywords to add later OS versions up through Mojave, though.

> On Oct 31, 2021, at 07:59, Richard L. Hamilton <rlhamil at smart.net> wrote:
> 
> I think you're onto something here. (color highlighting added, not in the original output)
> 
> sh-3.2$ # 10.14
> sh-3.2$ /usr/bin/curl -sS https://ports.macports.org <https://ports.macports.org/> >/dev/null
> curl: (60) SSL certificate problem: certificate has expired
> # lines of advice in error message skipped here
> sh-3.2$ /opt/local/bin/curl -sS https://ports.macports.org <https://ports.macports.org/> >/dev/null
> sh-3.2$ echo $?
> 0
> 
> (the expired above isn't surprising since I haven't updated the root certificates on there)
> 
> but
> 
> sh-3.2$ # 10.6
> sh-3.2$ /usr/bin/curl -sS https://ports.macports.org/ <https://ports.macports.org/> >/dev/null
> curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> sh-3.2$ /opt/local/bin/curl -sS https://ports.macports.org/ <https://ports.macports.org/> >/dev/null
> sh-3.2$ echo $?
> 0
> 
> On the 10.6, I had updated the root certificates...but the error is different; evidently there have been changes to the protocol and/or crypto used that merely updating the certificates does not fix. The MacPorts version of curl still works fine. Note that  pointing Safari to that same URL (https://ports.macports.org/ <https://ports.macports.org/>) also fails with unable to establish secure connection. So on older systems, EVEN WITH CERTIFICATES UPDATED, browsing with a non-updated browser and/or one that uses system libcrypto will fail for various sites, as will various non-browser software that tries to establish TLS connections using system libcrypto.
> 
> So if mpstats is failing on curl, it's not using the MacPorts version of curl. Which certainly would be distorting the stats against the poor suffering older OS version users, even if, knowing they're poor and suffering, they volunteer to provide stats.
> 
> IMO, it should check if ${prefix}/bin/curl is present and use it if it is, and only use the default if that isn't present - which in practice probably would never happen, because so many ports ultimately depend on the curl port. Interestingly it did NOT matter if PATH began with /opt/local/bin when mpstats was run, it still found the OS version rather than the MacPorts version.
> 
>> On Oct 31, 2021, at 05:37, raf <macports at raf.org <mailto:macports at raf.org>> wrote:
>> 
>> 
>> Actually, something looks wierd with macports statistics.
>> 
>> On 10.14:
>> 
>>> /opt/local/libexec/mpstats submit
>>  Submitting data to https://ports.macports.org/statistics/submit/ <https://ports.macports.org/statistics/submit/> ...
>>  Error: Peer certificate cannot be authenticated with given CA certificates
>>      while executing
>>  "curl post "submission\[data\]=$json" $stats_url"
>> 
>> On 10.6:
>> 
>>> /opt/local/libexec/mpstats submit
>>  Submitting data to https://ports.macports.org/statistics/submit/ <https://ports.macports.org/statistics/submit/> ...
>>  Error: SSL connect error
>>      while executing
>>  "curl post "submission\[data\]=$json" $stats_url"
>> 
>> It has a LetsEncrypt certificate but this should work. It should be macport's
>> curl that has its own CA bundle.
>> 
>> The certificate chain does still contain "DST Root CA X3". I thought that
>> was getting removed.
>> 
>> Anyway, it looks like I didn't manage to fix my system root certificates
>> after all, even though "ISRG Root X1" is installed (and "DST Root XA 3" is
>> manually trusted just to be extra sure). :-)
>> 
>> /usr/bin/curl is still failing, and for some reason, mpstats must be using
>> /usr/bin/curl instead of /opt/local/bin/curl. That doesn't sound possible, but
>> that's what it looks like.
>> 
>> According to check_for_app in /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl,
>> it looks like the curl that's used is the system one in /usr/bin.
>> 
>> I think that means that macports does require the system root certificates
>> to be functional (for some things at least). Is anyone else on old systems
>> able to run "/opt/local/libexec/mpstats submit"? I read somewhere that errors
>> are silently ignored during automatic submission.
>> 
>> Could this be why https://ports.macports.org/statistics/ <https://ports.macports.org/statistics/> shows almost nothing
>> for 10.{14,13,8,7,6,5,4}? Or are those numbers accurate?
>> 
>> cheers,
>> raf
>> 
> 
> -- 
> eMail:				mailto:rlhamil at smart.net <mailto:rlhamil at smart.net>
> 
> 
> 
> 

-- 
eMail:				mailto:rlhamil at smart.net




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211031/3b63d798/attachment.htm>


More information about the macports-users mailing list