livecheck.ignore_sslcert=yes breaks ruby-lang.org site on OS <10.13

[fhgwright (Fred Wright)]

This may have been true for some time, but the need for that option due to the recent root CA issue with GitHub has exacerbated it. The current status is:

Site         Sample Port       SSL Ignore    OS version    Behavior
----         -----------       ----------    ----------    --------
GitLab       ntpsec            X             any           OK
GitHub       legacy-support    N             10.4-10.8     TLS version error
GitHub       legacy-support    N             10.9-10.11    SSL cert error
GitHub       legacy-support    N             10.12+        OK
GitHub       legacy-support    Y             10.4-10.8     TLS version error
GitHub       legacy-support    Y             10.9+         OK
ruby-lang    ruby34            N             10.4-10.8     TLS version error
ruby-lang    ruby34            N             10.9+         OK
ruby-lang    ruby34            Y             10.4-10.8     TLS version error
ruby-lang    ruby34            Y             10.9-10.12    421 Misdirected Request
ruby-lang    ruby34            Y             10.13+        OK

Note that this option is not actually needed on ruby-lang.org, but when present it sometimes causes trouble.

BTW, the debug output (on 10.9) shows:

DEBUG: Using CURL options --append-http-header {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8} --ignore-ssl-cert --enable-compression
Error: cannot check if ruby34 was updated (The requested URL returned error: 421 Misdirected Request)

This is presumably fake, since AFAIK it actually uses libcurl, not the curl command-line tool. It wouldn't work if it were true, since the correct SSL-ignore-cert option is actually --insecure, not --ignore-ssl-cert. There seem to be many instances of --ignore-ssl-cert in the code, which is presumably valid only if they're all converted to the proper libcurl option.

[jmroot (Joshua Root)]

curl is also a Tcl command provided by pextlib.

[fhgwright (Fred Wright)]

Replying to jmroot:

curl is also a Tcl command provided by pextlib.

Ah, OK.

This may be a hint (on OS 10.9):

MacPro:tmp fw$ /usr/bin/curl -Lk https://cache.ruby-lang.org/pub/ruby/3.4/
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [34d5994995af1a1d5ca1bc76b68eae4ae8f62a8a2b65a22d6c5636f24cb68375] in use with this connection.

Visit https://www.fastly.com/documentation/guides/concepts/errors/#routing-errors for more information.

It's not clear why it cares about a certificate when it's supposed to be ignoring certificates altogether, but that may be part of the problem.

MacPorts curl doesn't exhibit this problem. Shelling out to ${prefix}/bin/curl when available would avoid a raft of problems, including the traditional TLS version issue, the new root CA issue, and this issue here (and finally put the 10-year-old #51516 to rest).