curl and openSSL

Clemens Lang cal at macports.org
Tue Apr 12 20:19:02 UTC 2022


Hi,

On Tue, Apr 12, 2022 at 09:17:03AM -0700, James Secan wrote:
> I switched from using the macOS-supplied curl to MacPorts curl
> recently, and one of my download scripts which uses curl immediately
> stopped working.  The error message from curl was:
> 
> curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation
> disabled
> 
> From some googling it sounds like this is a problem on the server end
> and not on my end.  Am I reading this right (I am NOT any kind of
> expert on SSL)?

Yes, mostly. Unsafe legacy renegotiation is a mechanism that is
vulnerable to man in the middle attacks. Can you share which server your
script was talking to, so I could take a closer look?


> I’ve switched back to the macOS version of curl for now, but I may try
> downloading a MacPorts version of curl that doesn’t use openSSL as
> suggested in a StackExchange post I found.

This is a message caused by OpenSSL 3.x, so not using OpenSSL will "fix"
the issue, but leave you vulnerably to the man-in-the-middle vulnerable
renegotiation.

-- 
Clemens


More information about the macports-users mailing list