Maybe it’s openssl in /opt/local/bin? On the MacBook Air: ports $ which openssl /opt/local/bin/openssl ports $ openssl version OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
The iMac has /opt/local/bin/openssl 1.1.1 /usr/bin/openssl is libressl 2.8.3 for both. Mark Brethen mark.bret...@gmail.com > On Jul 15, 2022, at 1:32 PM, Mark Brethen <mark.bret...@gmail.com> wrote: > > Heck if I know what’s wrong. Everything being equal, curl on the iMac works, > but on the MacBook Air it does not. Both have the same OS, same curl version > at /usr/bin, same cert.pem. > > > Mark Brethen > mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> > > > >> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.bret...@gmail.com >> <mailto:mark.bret...@gmail.com>> wrote: >> >> On the MacBook Air openssl is able to get the certificate >> >> Downloads $ openssl s_client -connect wias-berlin.de:443 >> <http://wias-berlin.de:443/> >> CONNECTED(00000005) >> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust >> Center, CN = T-TeleSec GlobalRoot Class 2 >> verify return:1 >> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >> verify return:1 >> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >> verify return:1 >> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., >> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = >> RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >> verify return:1 >> --- >> Certificate chain >> 0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., OU >> = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = RT, >> CN = www.wias-berlin.de <http://www.wias-berlin.de/> >> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. >> V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >> a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 >> v:NotBefore: Aug 4 13:43:33 2021 GMT; NotAfter: Sep 4 13:43:33 2022 GMT >> 1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. >> V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. >> V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >> v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT >> 2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. >> V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >> i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust >> Center, CN = T-TeleSec GlobalRoot Class 2 >> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >> v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 GMT >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> <clip> >> -----END CERTIFICATE----- >> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., >> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = >> RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >> issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. >> V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >> --- >> No client certificate CA names sent >> Peer signing digest: SHA256 >> Peer signature type: RSA-PSS >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 5958 bytes and written 400 bytes >> Verification: OK >> --- >> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >> Server public key is 4096 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> Early data was not sent >> Verify return code: 0 (ok) >> --- >> --- >> Post-Handshake New Session Ticket arrived: >> SSL-Session: >> Protocol : TLSv1.3 >> Cipher : TLS_AES_256_GCM_SHA384 >> Session-ID: >> 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A >> Session-ID-ctx: >> Resumption PSK: >> A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> TLS session ticket lifetime hint: 300 (seconds) >> TLS session ticket: >> 0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07 ..o.tMd.d3..L=W. >> 0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9 .U.)..|Xz..H.z.. >> >> Start Time: 1657903105 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> Max Early Data: 0 >> --- >> read R BLOCK >> --- >> Post-Handshake New Session Ticket arrived: >> SSL-Session: >> Protocol : TLSv1.3 >> Cipher : TLS_AES_256_GCM_SHA384 >> Session-ID: >> 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70 >> Session-ID-ctx: >> Resumption PSK: >> D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> TLS session ticket lifetime hint: 300 (seconds) >> TLS session ticket: >> 0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4 ]..^z......f.RZ. >> 0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9 "..x...9..Lc..M. >> >> Start Time: 1657903105 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> Max Early Data: 0 >> --- >> read R BLOCK >> closed >> >> Mark Brethen >> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >> >> >> >>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.bret...@gmail.com >>> <mailto:mark.bret...@gmail.com>> wrote: >>> >>> On the Imac (OS 11.6.7): >>> >>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem >>> >>> ~ $ /usr/bin/curl --version >>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) >>> LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0 >>> Release-Date: 2019-03-27 >>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 >>> pop3s rtsp smb smbs smtp smtps telnet tftp >>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz >>> MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets >>> >>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz >>> https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz >>> <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz> >>> % Total % Received % Xferd Average Speed Time Time Time >>> Current >>> Dload Upload Total Spent Left Speed >>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- >>> 0* Trying 62.141.177.111... >>> * TCP_NODELAY set >>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) >>> port 443 (#0) >>> * ALPN, offering h2 >>> * ALPN, offering http/1.1 >>> * successfully set certificate verify locations: >>> * CAfile: /etc/ssl/cert.pem >>> CApath: none >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >>> } [228 bytes data] >>> * TLSv1.2 (IN), TLS handshake, Server hello (2): >>> { [104 bytes data] >>> * TLSv1.2 (IN), TLS handshake, Certificate (11): >>> { [5152 bytes data] >>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >>> { [556 bytes data] >>> * TLSv1.2 (IN), TLS handshake, Server finished (14): >>> { [4 bytes data] >>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >>> } [37 bytes data] >>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >>> } [1 bytes data] >>> * TLSv1.2 (OUT), TLS handshake, Finished (20): >>> } [16 bytes data] >>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>> { [1 bytes data] >>> * TLSv1.2 (IN), TLS handshake, Finished (20): >>> { [16 bytes data] >>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 >>> * ALPN, server accepted to use http/1.1 >>> * Server certificate: >>> * subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; >>> OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT; >>> CN=www.wias-berlin.de <http://www.wias-berlin.de/> >>> * start date: Aug 4 13:43:33 2021 GMT >>> * expire date: Sep 4 13:43:33 2022 GMT >>> * subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" matched >>> cert's "wias-berlin.de <http://wias-berlin.de/>" >>> * issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes >>> e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA >>> * SSL certificate verify ok. >>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1 >>>> Host: wias-berlin.de <http://wias-berlin.de/> >>>> User-Agent: curl/7.64.1 >>>> Accept: */* >>>> >>> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- >>> 0< HTTP/1.1 200 OK >>> < Date: Fri, 15 Jul 2022 15:43:03 GMT >>> < Server: Apache-Coyote/1.1 >>> < Strict-Transport-Security: max-age=63072000 >>> < Accept-Ranges: bytes >>> < ETag: W/"282433-1534863100000" >>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT >>> < Content-Type: application/x-gzip >>> < Content-Length: 282433 >>> < >>> { [7906 bytes data] >>> 100 275k 100 275k 0 0 156k 0 0:00:01 0:00:01 --:--:-- >>> 156k >>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left intact >>> * Closing connection 0 >>> >>> Mark Brethen >>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>> >>> >>> >>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>> >>>> >>>> >>>> On 15/07/2022 4:16 pm, Mark Brethen wrote: >>>>> cert.perm has the same date >>>> >>>> very surprised ... >>>> >>>> and..... does the curl fetch also fail ? >>>> >>>>> Mark Brethen >>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jon...@hep.phy.cam.ac.uk> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote: >>>>>>> I checked big sur on my iMac, which came installed with big sur. It >>>>>>> also has version 7.64.1. >>>>>> >>>>>> how old is the cert.pem file though ? >>>>>> >>>>>> Does the fetch using /usr/bin/curl work there or not ? >>>>>> >>>>>> I’m surprised macports is using the native curl. Apple is notorious for >>>>>> not updating to the latest versions of software with each new OS. >>>>>>> Mark Brethen >>>>>>> mark.bret...@gmail.com >>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jon...@hep.phy.cam.ac.uk> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote: >>>>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem >>>>>>>> >>>>>>>> The above could be your problem, as that is very old, 2.5 years or so >>>>>>>> now. It actually pre-dates the public release of macOS 11, which >>>>>>>> wasn't until November that year, which makes it quite suspicious... >>>>>>>> >>>>>>>> In comparison mine is from May this year, on macOS12. I would imagine >>>>>>>> the same on macOS 11 to be much more up to date than the above. >>>>>>>> >>>>>>>> This could be some relic of your big update from OSX10.13 to macOS11... >>>>>>>> >>>>>>>> So, I am not sure how, but you need the above to be updated I >>>>>>>> believe... >>>>>>>> >>>>>>>> Have you checked system update to make sure you are fully up to date ? >>>>>>>> >>>>>>>> Chris >>>>>>>> >>>>>>>>> ~ $ /usr/bin/curl --version >>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 >>>>>>>>> (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0 >>>>>>>>> Release-Date: 2019-03-27 >>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps >>>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp >>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile >>>>>>>>> libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets >>>>>>>>> Mark Brethen >>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>>>>> >>>>>>>>>> /etc/ssl/cert.pem >>> >> >
