provide latest OS root certificates via port?

raf macports at raf.org
Sun Oct 31 23:38:13 UTC 2021 

On Sun, Oct 31, 2021 at 07:59:29AM -0400, "Richard L. Hamilton" <rlhamil at smart.net> wrote:

> I think you're onto something here. (color highlighting added, not in the original output)
> 
> sh-3.2$ # 10.14
> sh-3.2$ /usr/bin/curl -sS https://ports.macports.org >/dev/null
> curl: (60) SSL certificate problem: certificate has expired
> # lines of advice in error message skipped here
> sh-3.2$ /opt/local/bin/curl -sS https://ports.macports.org >/dev/null
> sh-3.2$ echo $?
> 0
> 
> (the expired above isn't surprising since I haven't updated the root certificates on there)
> 
> but
> 
> sh-3.2$ # 10.6
> sh-3.2$ /usr/bin/curl -sS https://ports.macports.org/ >/dev/null
> curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> sh-3.2$ /opt/local/bin/curl -sS https://ports.macports.org/ >/dev/null
> sh-3.2$ echo $?
> 0
> 
> On the 10.6, I had updated the root certificates...but the error
> is different; evidently there have been changes to the protocol
> and/or crypto used that merely updating the certificates does not
> fix. The MacPorts version of curl still works fine. Note that pointing
> Safari to that same URL (https://ports.macports.org/) also fails with
> unable to establish secure connection. So on older systems, EVEN WITH
> CERTIFICATES UPDATED, browsing with a non-updated browser and/or
> one that uses system libcrypto will fail for various sites, as will
> various non-browser software that tries to establish TLS connections
> using system libcrypto.

I'm fairly sure that Safari on 10.6 only supports
TLSv1.0 which is a separate reason for it not being
able to connect to websites. /usr/bin/curl might have
the same problem. The ports.macports.org does not
support TLSv1.0. If it did, old /usr/bin/curl might
still work.

It uses /usr/lib/libssl.44.dylib. Someone on the
internet thinks that's old LibreSSL, but the first
release that libressl.org admits to is v2.0.0.

> So if mpstats is failing on curl, it's not using the MacPorts version
> of curl. Which certainly would be distorting the stats against the
> poor suffering older OS version users, even if, knowing they're poor
> and suffering, they volunteer to provide stats.
> 
> IMO, it should check if ${prefix}/bin/curl is present and use it if it
> is, and only use the default if that isn't present - which in practice
> probably would never happen, because so many ports ultimately depend
> on the curl port. Interestingly it did NOT matter if PATH began with
> /opt/local/bin when mpstats was run, it still found the OS version
> rather than the MacPorts version.

Yes. I think /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl
is definitely indicating that the system curl is used for some things,
and that must include mpstats. But updates still work.

> > On Oct 31, 2021, at 05:37, raf <macports at raf.org> wrote:
> > 
> > 
> > Actually, something looks wierd with macports statistics.
> > 
> > On 10.14:
> > 
> >> /opt/local/libexec/mpstats submit
> >  Submitting data to https://ports.macports.org/statistics/submit/ ...
> >  Error: Peer certificate cannot be authenticated with given CA certificates
> >      while executing
> >  "curl post "submission\[data\]=$json" $stats_url"
> > 
> > On 10.6:
> > 
> >> /opt/local/libexec/mpstats submit
> >  Submitting data to https://ports.macports.org/statistics/submit/ ...
> >  Error: SSL connect error
> >      while executing
> >  "curl post "submission\[data\]=$json" $stats_url"
> > 
> > It has a LetsEncrypt certificate but this should work. It should be macport's
> > curl that has its own CA bundle.
> > 
> > The certificate chain does still contain "DST Root CA X3". I thought that
> > was getting removed.
> > 
> > Anyway, it looks like I didn't manage to fix my system root certificates
> > after all, even though "ISRG Root X1" is installed (and "DST Root XA 3" is
> > manually trusted just to be extra sure). :-)
> > 
> > /usr/bin/curl is still failing, and for some reason, mpstats must be using
> > /usr/bin/curl instead of /opt/local/bin/curl. That doesn't sound possible, but
> > that's what it looks like.
> > 
> > According to check_for_app in /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl,
> > it looks like the curl that's used is the system one in /usr/bin.
> > 
> > I think that means that macports does require the system root certificates
> > to be functional (for some things at least). Is anyone else on old systems
> > able to run "/opt/local/libexec/mpstats submit"? I read somewhere that errors
> > are silently ignored during automatic submission.
> > 
> > Could this be why https://ports.macports.org/statistics/ shows almost nothing
> > for 10.{14,13,8,7,6,5,4}? Or are those numbers accurate?
> > 
> > cheers,
> > raf
> -- 
> eMail:				mailto:rlhamil at smart.net

More information about the macports-users mailing list