curl and openSSL
Clemens Lang
cal at macports.org
Tue Apr 12 20:19:02 UTC 2022
Hi,
On Tue, Apr 12, 2022 at 09:17:03AM -0700, James Secan wrote:
> I switched from using the macOS-supplied curl to MacPorts curl
> recently, and one of my download scripts which uses curl immediately
> stopped working. The error message from curl was:
>
> curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation
> disabled
>
> From some googling it sounds like this is a problem on the server end
> and not on my end. Am I reading this right (I am NOT any kind of
> expert on SSL)?
Yes, mostly. Unsafe legacy renegotiation is a mechanism that is
vulnerable to man in the middle attacks. Can you share which server your
script was talking to, so I could take a closer look?
> I’ve switched back to the macOS version of curl for now, but I may try
> downloading a MacPorts version of curl that doesn’t use openSSL as
> suggested in a StackExchange post I found.
This is a message caused by OpenSSL 3.x, so not using OpenSSL will "fix"
the issue, but leave you vulnerably to the man-in-the-middle vulnerable
renegotiation.
--
Clemens
More information about the macports-users
mailing list