curl and openSSL

James Secan james.secan at gmail.com
Tue Apr 12 21:16:08 UTC 2022


It’s a US Gov’t site (NASA): cddis.nasa.gov.  I’m accessing data on their Space Geodesy Data archive, pulling files from directory archive/gnss/products/ionex.  I filed an initial complaint with them yesterday before I knew in detail what was going on and had a response asking for more info this morning.  I’ve sent them everything I know, but have heard nothing back.  That was just this morning, so it’s too soon to be getting antsy about a response from them.

Jim
> On Apr 12, 2022, at 1:19 PM, Clemens Lang <cal at macports.org> wrote:
> 
> Hi,
> 
> On Tue, Apr 12, 2022 at 09:17:03AM -0700, James Secan wrote:
>> I switched from using the macOS-supplied curl to MacPorts curl
>> recently, and one of my download scripts which uses curl immediately
>> stopped working.  The error message from curl was:
>> 
>> curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation
>> disabled
>> 
>> From some googling it sounds like this is a problem on the server end
>> and not on my end.  Am I reading this right (I am NOT any kind of
>> expert on SSL)?
> 
> Yes, mostly. Unsafe legacy renegotiation is a mechanism that is
> vulnerable to man in the middle attacks. Can you share which server your
> script was talking to, so I could take a closer look?
> 
> 
>> I’ve switched back to the macOS version of curl for now, but I may try
>> downloading a MacPorts version of curl that doesn’t use openSSL as
>> suggested in a StackExchange post I found.
> 
> This is a message caused by OpenSSL 3.x, so not using OpenSSL will "fix"
> the issue, but leave you vulnerably to the man-in-the-middle vulnerable
> renegotiation.
> 
> -- 
> Clemens



More information about the macports-users mailing list