curl and openSSL
James Secan
james.secan at gmail.com
Tue Apr 12 21:16:08 UTC 2022
It’s a US Gov’t site (NASA): cddis.nasa.gov. I’m accessing data on their Space Geodesy Data archive, pulling files from directory archive/gnss/products/ionex. I filed an initial complaint with them yesterday before I knew in detail what was going on and had a response asking for more info this morning. I’ve sent them everything I know, but have heard nothing back. That was just this morning, so it’s too soon to be getting antsy about a response from them.
Jim
> On Apr 12, 2022, at 1:19 PM, Clemens Lang <cal at macports.org> wrote:
>
> Hi,
>
> On Tue, Apr 12, 2022 at 09:17:03AM -0700, James Secan wrote:
>> I switched from using the macOS-supplied curl to MacPorts curl
>> recently, and one of my download scripts which uses curl immediately
>> stopped working. The error message from curl was:
>>
>> curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation
>> disabled
>>
>> From some googling it sounds like this is a problem on the server end
>> and not on my end. Am I reading this right (I am NOT any kind of
>> expert on SSL)?
>
> Yes, mostly. Unsafe legacy renegotiation is a mechanism that is
> vulnerable to man in the middle attacks. Can you share which server your
> script was talking to, so I could take a closer look?
>
>
>> I’ve switched back to the macOS version of curl for now, but I may try
>> downloading a MacPorts version of curl that doesn’t use openSSL as
>> suggested in a StackExchange post I found.
>
> This is a message caused by OpenSSL 3.x, so not using OpenSSL will "fix"
> the issue, but leave you vulnerably to the man-in-the-middle vulnerable
> renegotiation.
>
> --
> Clemens
More information about the macports-users
mailing list