#38972 closed update (fixed)
curl-ca-bundle needs update?
| Reported by: | dave@… | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | cooljeanius (Eric Gallager), matthew-macports@… | |
| Port: | curl-ca-bundle |
Description (last modified by ryandesign (Ryan Carsten Schmidt))
It looks like perhaps gmail is using a new cert and macports' certs haven't been updated yet?
cube:~ dave% openssl s_client -verify -crlf -connect imap.gmail.com:993
verify depth is 0
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
140735275196892:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1166:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 1681 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1367385345
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Change History (10)
comment:1 Changed 11 years ago by dave@…
comment:2 Changed 11 years ago by cooljeanius (Eric Gallager)
Livecheck seems to think it's up to date:
gl00b05048:~ egall$ port -v livecheck curl-ca-bundle curl-ca-bundle seems to be up to date
comment:3 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)
| Description: | modified (diff) |
|---|---|
| Owner: | changed from macports-tickets@… to ryandesign@… |
comment:4 Changed 11 years ago by dave@…
If it's up-to-date with upstream, then probably upstream needs an update. Or, I've misdiagnosed the whole thing!
comment:6 follow-up: 9 Changed 9 years ago by matthew-macports@…
The current location of the Mozilla root certificates is not where the Portfile at browser:trunk/dports/net/curl/Portfile is looking. The Portfile is looking at:
http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
but Mozilla now update the file at:
http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt
(note mozilla-central, rather than mozilla). The former has not changed since December 2012:
the latter was last updated yesterday:
http://hg.mozilla.org/mozilla-central/log/3de89bd361c3/security/nss/lib/ckfw/builtins/certdata.txt
So it looks like curl-ca-bundle won't have had any updates since 2013 (which explains why I am starting to get SSL cert errors more frequently using curl).
comment:7 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | matthew-macports@… added |
|---|---|
| Type: | defect → update |
| Version: | 2.1.3 |
Thanks for letting me know about the new locations for these files.
comment:8 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:9 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to matthew-macports@…:
So it looks like curl-ca-bundle won't have had any updates since 2013 (which explains why I am starting to get SSL cert errors more frequently using curl).
By the way, on recent versions of OS X you can use the certsync port instead of curl-ca-bundle. Then your certificates for curl will be as current as those provided by Apple in your operating system.
rats; forgot the curlies! Sorry.