curl and openSSL

James Secan james.secan at
Tue Apr 12 21:16:08 UTC 2022

It’s a US Gov’t site (NASA):  I’m accessing data on their Space Geodesy Data archive, pulling files from directory archive/gnss/products/ionex.  I filed an initial complaint with them yesterday before I knew in detail what was going on and had a response asking for more info this morning.  I’ve sent them everything I know, but have heard nothing back.  That was just this morning, so it’s too soon to be getting antsy about a response from them.

> On Apr 12, 2022, at 1:19 PM, Clemens Lang <cal at> wrote:
> Hi,
> On Tue, Apr 12, 2022 at 09:17:03AM -0700, James Secan wrote:
>> I switched from using the macOS-supplied curl to MacPorts curl
>> recently, and one of my download scripts which uses curl immediately
>> stopped working.  The error message from curl was:
>> curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation
>> disabled
>> From some googling it sounds like this is a problem on the server end
>> and not on my end.  Am I reading this right (I am NOT any kind of
>> expert on SSL)?
> Yes, mostly. Unsafe legacy renegotiation is a mechanism that is
> vulnerable to man in the middle attacks. Can you share which server your
> script was talking to, so I could take a closer look?
>> I’ve switched back to the macOS version of curl for now, but I may try
>> downloading a MacPorts version of curl that doesn’t use openSSL as
>> suggested in a StackExchange post I found.
> This is a message caused by OpenSSL 3.x, so not using OpenSSL will "fix"
> the issue, but leave you vulnerably to the man-in-the-middle vulnerable
> renegotiation.
> -- 
> Clemens

More information about the macports-users mailing list