On the MacBook Air openssl is able to get the certificate
Downloads $ openssl s_client -connect wias-berlin.de:443
CONNECTED(00000005)
depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust
Center, CN = T-TeleSec GlobalRoot Class 2
verify return:1
depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
verify return:1
depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
verify return:1
depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU
= Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN
= www.wias-berlin.de
verify return:1
---
Certificate chain
0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU =
Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN =
www.wias-berlin.de
i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,
OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 4 13:43:33 2021 GMT; NotAfter: Sep 4 13:43:33 2022 GMT
1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,
OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,
OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,
OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust
Center, CN = T-TeleSec GlobalRoot Class 2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<clip>
-----END CERTIFICATE-----
subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU
= Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, CN
= www.wias-berlin.de
issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5958 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A
Session-ID-ctx:
Resumption PSK:
A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07 ..o.tMd.d3..L=W.
0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9 .U.)..|Xz..H.z..
Start Time: 1657903105
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70
Session-ID-ctx:
Resumption PSK:
D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4 ]..^z......f.RZ.
0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9 "..x...9..Lc..M.
Start Time: 1657903105
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
Mark Brethen
mark.bret...@gmail.com
> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.bret...@gmail.com> wrote:
>
> On the Imac (OS 11.6.7):
>
> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem
>
> ~ $ /usr/bin/curl --version
> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport)
> LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
> Release-Date: 2019-03-27
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
> pop3s rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz
> MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>
> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz
> https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0* Trying 62.141.177.111...
> * TCP_NODELAY set
> * Connected to wias-berlin.de (62.141.177.111) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> } [228 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> { [104 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [5152 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [556 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [37 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
> { [1 bytes data]
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> { [16 bytes data]
> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
> * ALPN, server accepted to use http/1.1
> * Server certificate:
> * subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.;
> OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT;
> CN=www.wias-berlin.de
> * start date: Aug 4 13:43:33 2021 GMT
> * expire date: Sep 4 13:43:33 2022 GMT
> * subjectAltName: host "wias-berlin.de" matched cert's "wias-berlin.de"
> * issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes e.
> V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA
> * SSL certificate verify ok.
>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1
>> Host: wias-berlin.de
>> User-Agent: curl/7.64.1
>> Accept: */*
>>
> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:--
> 0< HTTP/1.1 200 OK
> < Date: Fri, 15 Jul 2022 15:43:03 GMT
> < Server: Apache-Coyote/1.1
> < Strict-Transport-Security: max-age=63072000
> < Accept-Ranges: bytes
> < ETag: W/"282433-1534863100000"
> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT
> < Content-Type: application/x-gzip
> < Content-Length: 282433
> <
> { [7906 bytes data]
> 100 275k 100 275k 0 0 156k 0 0:00:01 0:00:01 --:--:-- 156k
> * Connection #0 to host wias-berlin.de left intact
> * Closing connection 0
>
> Mark Brethen
> mark.bret...@gmail.com
>
>
>
>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jon...@hep.phy.cam.ac.uk> wrote:
>>
>>
>>
>> On 15/07/2022 4:16 pm, Mark Brethen wrote:
>>> cert.perm has the same date
>>
>> very surprised ...
>>
>> and..... does the curl fetch also fail ?
>>
>>> Mark Brethen
>>> mark.bret...@gmail.com
>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jon...@hep.phy.cam.ac.uk> wrote:
>>>>
>>>>
>>>>
>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote:
>>>>> I checked big sur on my iMac, which came installed with big sur. It also
>>>>> has version 7.64.1.
>>>>
>>>> how old is the cert.pem file though ?
>>>>
>>>> Does the fetch using /usr/bin/curl work there or not ?
>>>>
>>>> I’m surprised macports is using the native curl. Apple is notorious for
>>>> not updating to the latest versions of software with each new OS.
>>>>> Mark Brethen
>>>>> mark.bret...@gmail.com
>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jon...@hep.phy.cam.ac.uk>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote:
>>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem
>>>>>>
>>>>>> The above could be your problem, as that is very old, 2.5 years or so
>>>>>> now. It actually pre-dates the public release of macOS 11, which wasn't
>>>>>> until November that year, which makes it quite suspicious...
>>>>>>
>>>>>> In comparison mine is from May this year, on macOS12. I would imagine
>>>>>> the same on macOS 11 to be much more up to date than the above.
>>>>>>
>>>>>> This could be some relic of your big update from OSX10.13 to macOS11...
>>>>>>
>>>>>> So, I am not sure how, but you need the above to be updated I believe...
>>>>>>
>>>>>> Have you checked system update to make sure you are fully up to date ?
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>> ~ $ /usr/bin/curl --version
>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport)
>>>>>>> LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
>>>>>>> Release-Date: 2019-03-27
>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile
>>>>>>> libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
>>>>>>> Mark Brethen
>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>
>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones <jon...@hep.phy.cam.ac.uk
>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote:
>>>>>>>>
>>>>>>>> /etc/ssl/cert.pem
>
