There is something fundementally different between the OS 11 install on the intel MacBook vs the M1 iMac. I even wiped clean the MacBook and reinstalled OS 11 and created a new admin account — no third party software installed. Apple's curl failed as before.
I compared Macport’s curl/openssl on the MacBook (note it is using curl-ca-bundle.crt): Downloads $ which curl /opt/local/bin/curl Downloads $ curl -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 62.141.177.111:443... * Connected to wias-berlin.de (62.141.177.111) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /opt/local/share/curl/curl-ca-bundle.crt * CApath: none * TLSv1.0 (OUT), TLS header, Certificate Status (22): } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS header, Certificate Status (22): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.2 (IN), TLS header, Finished (20): { [5 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [21 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [5159 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, CERT verify (15): { [520 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Finished (20): { [52 bytes data] * TLSv1.2 (OUT), TLS header, Finished (20): } [5 bytes data] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS header, Supplemental data (23): } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Finished (20): } [52 bytes data] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN: server accepted http/1.1 * Server certificate: * subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); OU=RT; CN=www.wias-berlin.de * start date: Aug 4 13:43:33 2021 GMT * expire date: Sep 4 13:43:33 2022 GMT * subjectAltName: host "wias-berlin.de" matched cert's "wias-berlin.de" * issuer: C=DE; O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA * SSL certificate verify ok. * TLSv1.2 (OUT), TLS header, Supplemental data (23): } [5 bytes data] > GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1 > Host: wias-berlin.de > User-Agent: curl/7.84.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): { [57 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): { [57 bytes data] * old SSL session ID is stale, removing 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Mon, 18 Jul 2022 11:54:58 GMT < Server: Apache-Coyote/1.1 < Strict-Transport-Security: max-age=63072000 < Accept-Ranges: bytes < ETag: W/"282433-1534863100000" < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT < Content-Type: application/x-gzip < Content-Length: 282433 /etc/ssl/cert.pem worked as well with curl 7.84.0. Note TLSv1.0 (OUT), TLS header, Certificate Status (22):. I also tried the curl-ca-bundle.crt with Apple’s curl: Downloads $ /usr/bin/curl --cacert /opt/local/share/curl/curl-ca-bundle.crt -v -o tetgen1.5.1.tar.gz https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 62.141.177.111... * TCP_NODELAY set 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to wias-berlin.de (62.141.177.111) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /opt/local/share/curl/curl-ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [228 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [59 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [6122 bytes data] * TLSv1.2 (IN), TLS alert, handshake failure (552): { [2 bytes data] * error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert handshake failure 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (35) error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert handshake failure Chrome has a 'Copy as cURL' feature so you can inspect what the browser is doing: curl 'https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Accept-Language: en-US,en;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Cookie: JSESSIONID=45D13EF3D3A2EA7165891DDD8E42CF09' \ -H 'Sec-Fetch-Dest: document' \ -H 'Sec-Fetch-Mode: navigate' \ -H 'Sec-Fetch-Site: cross-site' \ -H 'Sec-Fetch-User: ?1' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' \ -H 'sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ --compressed Although it downloaded the file, It noted this error: Mixed Content: The site at 'https://wias-berlin.de/' was loaded over a secure connection, but the file at 'https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details. So it may have something to do with this host in particular and the curl version, I don’t think it has anything to do with the cert files. Mark Brethen mark.bret...@gmail.com > On Jul 18, 2022, at 3:21 AM, Christopher Jones <jon...@hep.phy.cam.ac.uk> > wrote: > > > >> On 17 Jul 2022, at 7:12 pm, Mark Brethen <mark.bret...@gmail.com >> <mailto:mark.bret...@gmail.com>> wrote: >> >> It’s interesting that curl fails from my older MacBook Air, but passes on >> the M1 iMac, both with OS 11 installed. Even after a clean reinstall. I >> suspect it’s something about Apple’s openssl. Browsers don’t seem to mind >> the certificate. > > No, I very much doubt that is the case. If it where the case if would fail > for you on both machines. > >> >> As a work around, I’d like to add something like this: >> >> set check.os.major 21 >> if {${check.os.major} > ${os.major}} { >> depends_fetch-append curl >> fetch { >> system "curl -L -o ${distpath}/${distfiles} >> ${master_sites}${distfiles}" >> } >> } > > It is not appropriate to add that to a port file when the origin of the issue > is still not understood, and quite likely something specific to your setup. > > Chris > >> >> >> >> Mark Brethen >> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >> >> >> >>> On Jul 17, 2022, at 8:49 AM, Mark Brethen <mark.bret...@gmail.com >>> <mailto:mark.bret...@gmail.com>> wrote: >>> >>> I think I’m getting to the root of the problem. I tried to obtain the SSL >>> certificate from the host server using openssl. >>> >>> Downloads $ echo | openssl s_client -servername wias-berlin.de >>> <http://wias-berlin.de/> -connect wias-berlin.de:443 >>> <http://wias-berlin.de:443/> |\ >>> >>> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt >>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems >>> Trust Center, CN = T-TeleSec GlobalRoot Class 2 >>> verify return:1 >>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >>> verify return:1 >>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>> verify return:1 >>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., >>> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), OU = >>> RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>> verify return:1 >>> 4479426220:error:14008410:SSL routines:CONNECT_CR_KEY_EXCH:sslv3 alert >>> handshake >>> failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL >>> alert number 40 >>> 4479426220:error:140080E5:SSL routines:CONNECT_CR_KEY_EXCH:ssl handshake >>> failure:/System/Volumes/Data/SWE/macOS/BuildRoots/880a0f6e74/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.4/libressl-2.8/ssl/ssl_pkt.c:585: >>> >>> >>> I don’t get this error on the iMac with the same OS, same openssl versions. >>> >>> Mark >>> >>> >>> >>>> On Jul 15, 2022, at 1:44 PM, Mark Brethen <mark.bret...@gmail.com >>>> <mailto:mark.bret...@gmail.com>> wrote: >>>> >>>> Maybe it’s openssl in /opt/local/bin? On the MacBook Air: >>>> >>>> ports $ which openssl >>>> /opt/local/bin/openssl >>>> ports $ openssl version >>>> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022) >>>> >>>> The iMac has /opt/local/bin/openssl 1.1.1 >>>> >>>> /usr/bin/openssl is libressl 2.8.3 for both. >>>> >>>> >>>> Mark Brethen >>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>> >>>> >>>> >>>>> On Jul 15, 2022, at 1:32 PM, Mark Brethen <mark.bret...@gmail.com >>>>> <mailto:mark.bret...@gmail.com>> wrote: >>>>> >>>>> Heck if I know what’s wrong. Everything being equal, curl on the iMac >>>>> works, but on the MacBook Air it does not. Both have the same OS, same >>>>> curl version at /usr/bin, same cert.pem. >>>>> >>>>> >>>>> Mark Brethen >>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>> >>>>> >>>>> >>>>>> On Jul 15, 2022, at 11:42 AM, Mark Brethen <mark.bret...@gmail.com >>>>>> <mailto:mark.bret...@gmail.com>> wrote: >>>>>> >>>>>> On the MacBook Air openssl is able to get the certificate >>>>>> >>>>>> Downloads $ openssl s_client -connect wias-berlin.de:443 >>>>>> <http://wias-berlin.de:443/> >>>>>> CONNECTED(00000005) >>>>>> depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems >>>>>> Trust Center, CN = T-TeleSec GlobalRoot Class 2 >>>>>> verify return:1 >>>>>> depth=2 C = DE, O = Verein zur Foerderung eines Deutschen >>>>>> Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification >>>>>> Authority 2 >>>>>> verify return:1 >>>>>> depth=1 C = DE, O = Verein zur Foerderung eines Deutschen >>>>>> Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>>> verify return:1 >>>>>> depth=0 C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin >>>>>> e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik >>>>>> (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>>>>> verify return:1 >>>>>> --- >>>>>> Certificate chain >>>>>> 0 s:C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin e.V., >>>>>> OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS), >>>>>> OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>>>>> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>>> a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 >>>>>> v:NotBefore: Aug 4 13:43:33 2021 GMT; NotAfter: Sep 4 13:43:33 2022 >>>>>> GMT >>>>>> 1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>>> i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >>>>>> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >>>>>> v:NotBefore: May 24 11:38:40 2016 GMT; NotAfter: Feb 22 23:59:59 2031 >>>>>> GMT >>>>>> 2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes >>>>>> e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2 >>>>>> i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems >>>>>> Trust Center, CN = T-TeleSec GlobalRoot Class 2 >>>>>> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >>>>>> v:NotBefore: Feb 22 13:38:22 2016 GMT; NotAfter: Feb 22 23:59:59 2031 >>>>>> GMT >>>>>> --- >>>>>> Server certificate >>>>>> -----BEGIN CERTIFICATE----- >>>>>> <clip> >>>>>> -----END CERTIFICATE----- >>>>>> subject=C = DE, ST = Berlin, L = Berlin, O = Forschungsverbund Berlin >>>>>> e.V., OU = Weierstrass-Institut f. Angewandte Analysis u. Stochastik >>>>>> (WIAS), OU = RT, CN = www.wias-berlin.de <http://www.wias-berlin.de/> >>>>>> issuer=C = DE, O = Verein zur Foerderung eines Deutschen >>>>>> Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA >>>>>> --- >>>>>> No client certificate CA names sent >>>>>> Peer signing digest: SHA256 >>>>>> Peer signature type: RSA-PSS >>>>>> Server Temp Key: X25519, 253 bits >>>>>> --- >>>>>> SSL handshake has read 5958 bytes and written 400 bytes >>>>>> Verification: OK >>>>>> --- >>>>>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >>>>>> Server public key is 4096 bit >>>>>> Secure Renegotiation IS NOT supported >>>>>> Compression: NONE >>>>>> Expansion: NONE >>>>>> No ALPN negotiated >>>>>> Early data was not sent >>>>>> Verify return code: 0 (ok) >>>>>> --- >>>>>> --- >>>>>> Post-Handshake New Session Ticket arrived: >>>>>> SSL-Session: >>>>>> Protocol : TLSv1.3 >>>>>> Cipher : TLS_AES_256_GCM_SHA384 >>>>>> Session-ID: >>>>>> 59F731F1CDD19B47E950494E9EE1B8A0550BF8AC10649DB3C7232926EEC1530A >>>>>> Session-ID-ctx: >>>>>> Resumption PSK: >>>>>> A3FDED018305178A2940F1CC082F27F0BFD32592CA51C904C07E446B5B5EEDBC496CDC1711F7E87A9AED84131B1A790C >>>>>> PSK identity: None >>>>>> PSK identity hint: None >>>>>> SRP username: None >>>>>> TLS session ticket lifetime hint: 300 (seconds) >>>>>> TLS session ticket: >>>>>> 0000 - 04 c1 6f 8b 74 4d 64 1e-64 33 c2 af 4c 3d 57 07 >>>>>> ..o.tMd.d3..L=W. >>>>>> 0010 - b8 55 a9 29 03 a4 7c 58-7a 93 f8 48 f2 7a c6 a9 >>>>>> .U.)..|Xz..H.z.. >>>>>> >>>>>> Start Time: 1657903105 >>>>>> Timeout : 7200 (sec) >>>>>> Verify return code: 0 (ok) >>>>>> Extended master secret: no >>>>>> Max Early Data: 0 >>>>>> --- >>>>>> read R BLOCK >>>>>> --- >>>>>> Post-Handshake New Session Ticket arrived: >>>>>> SSL-Session: >>>>>> Protocol : TLSv1.3 >>>>>> Cipher : TLS_AES_256_GCM_SHA384 >>>>>> Session-ID: >>>>>> 442D3ABED4D45BD62EA3B62E38EEE60BEE8D146EAC1B5549645F78E5AEC70D70 >>>>>> Session-ID-ctx: >>>>>> Resumption PSK: >>>>>> D32F86E1E5AE9DC8A3F551D4F4E4BAAF20448E5C7D169D12685577ADC60440556044B374436BFDAA22E6DF026FFBD77A >>>>>> PSK identity: None >>>>>> PSK identity hint: None >>>>>> SRP username: None >>>>>> TLS session ticket lifetime hint: 300 (seconds) >>>>>> TLS session ticket: >>>>>> 0000 - 5d 89 a2 5e 7a b3 18 13-89 f7 07 66 f7 52 5a d4 >>>>>> ]..^z......f.RZ. >>>>>> 0010 - 22 b4 f8 78 af 92 bf 39-16 9b 4c 63 8b fa 4d d9 >>>>>> "..x...9..Lc..M. >>>>>> >>>>>> Start Time: 1657903105 >>>>>> Timeout : 7200 (sec) >>>>>> Verify return code: 0 (ok) >>>>>> Extended master secret: no >>>>>> Max Early Data: 0 >>>>>> --- >>>>>> read R BLOCK >>>>>> closed >>>>>> >>>>>> Mark Brethen >>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>> >>>>>> >>>>>> >>>>>>> On Jul 15, 2022, at 10:51 AM, Mark Brethen <mark.bret...@gmail.com >>>>>>> <mailto:mark.bret...@gmail.com>> wrote: >>>>>>> >>>>>>> On the Imac (OS 11.6.7): >>>>>>> >>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem >>>>>>> >>>>>>> ~ $ /usr/bin/curl --version >>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) >>>>>>> LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0 >>>>>>> Release-Date: 2019-03-27 >>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps >>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp >>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile >>>>>>> libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets >>>>>>> >>>>>>> Downloads $ /usr/bin/curl -L -v -o tetgen1.5.1.tar.gz >>>>>>> https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz >>>>>>> <https://wias-berlin.de/software/tetgen/1.5/src/tetgen1.5.1.tar.gz> >>>>>>> % Total % Received % Xferd Average Speed Time Time Time >>>>>>> Current >>>>>>> Dload Upload Total Spent Left >>>>>>> Speed >>>>>>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- >>>>>>> 0* Trying 62.141.177.111... >>>>>>> * TCP_NODELAY set >>>>>>> * Connected to wias-berlin.de <http://wias-berlin.de/> (62.141.177.111) >>>>>>> port 443 (#0) >>>>>>> * ALPN, offering h2 >>>>>>> * ALPN, offering http/1.1 >>>>>>> * successfully set certificate verify locations: >>>>>>> * CAfile: /etc/ssl/cert.pem >>>>>>> CApath: none >>>>>>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >>>>>>> } [228 bytes data] >>>>>>> * TLSv1.2 (IN), TLS handshake, Server hello (2): >>>>>>> { [104 bytes data] >>>>>>> * TLSv1.2 (IN), TLS handshake, Certificate (11): >>>>>>> { [5152 bytes data] >>>>>>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >>>>>>> { [556 bytes data] >>>>>>> * TLSv1.2 (IN), TLS handshake, Server finished (14): >>>>>>> { [4 bytes data] >>>>>>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >>>>>>> } [37 bytes data] >>>>>>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >>>>>>> } [1 bytes data] >>>>>>> * TLSv1.2 (OUT), TLS handshake, Finished (20): >>>>>>> } [16 bytes data] >>>>>>> * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>>>>>> { [1 bytes data] >>>>>>> * TLSv1.2 (IN), TLS handshake, Finished (20): >>>>>>> { [16 bytes data] >>>>>>> * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 >>>>>>> * ALPN, server accepted to use http/1.1 >>>>>>> * Server certificate: >>>>>>> * subject: C=DE; ST=Berlin; L=Berlin; O=Forschungsverbund Berlin e.V.; >>>>>>> OU=Weierstrass-Institut f. Angewandte Analysis u. Stochastik (WIAS); >>>>>>> OU=RT; CN=www.wias-berlin.de <http://www.wias-berlin.de/> >>>>>>> * start date: Aug 4 13:43:33 2021 GMT >>>>>>> * expire date: Sep 4 13:43:33 2022 GMT >>>>>>> * subjectAltName: host "wias-berlin.de <http://wias-berlin.de/>" >>>>>>> matched cert's "wias-berlin.de <http://wias-berlin.de/>" >>>>>>> * issuer: C=DE; O=Verein zur Foerderung eines Deutschen >>>>>>> Forschungsnetzes e. V.; OU=DFN-PKI; CN=DFN-Verein Global Issuing CA >>>>>>> * SSL certificate verify ok. >>>>>>>> GET /software/tetgen/1.5/src/tetgen1.5.1.tar.gz HTTP/1.1 >>>>>>>> Host: wias-berlin.de <http://wias-berlin.de/> >>>>>>>> User-Agent: curl/7.64.1 >>>>>>>> Accept: */* >>>>>>>> >>>>>>> 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- >>>>>>> 0< HTTP/1.1 200 OK >>>>>>> < Date: Fri, 15 Jul 2022 15:43:03 GMT >>>>>>> < Server: Apache-Coyote/1.1 >>>>>>> < Strict-Transport-Security: max-age=63072000 >>>>>>> < Accept-Ranges: bytes >>>>>>> < ETag: W/"282433-1534863100000" >>>>>>> < Last-Modified: Tue, 21 Aug 2018 14:51:40 GMT >>>>>>> < Content-Type: application/x-gzip >>>>>>> < Content-Length: 282433 >>>>>>> < >>>>>>> { [7906 bytes data] >>>>>>> 100 275k 100 275k 0 0 156k 0 0:00:01 0:00:01 >>>>>>> --:--:-- 156k >>>>>>> * Connection #0 to host wias-berlin.de <http://wias-berlin.de/> left >>>>>>> intact >>>>>>> * Closing connection 0 >>>>>>> >>>>>>> Mark Brethen >>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Jul 15, 2022, at 10:18 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 15/07/2022 4:16 pm, Mark Brethen wrote: >>>>>>>>> cert.perm has the same date >>>>>>>> >>>>>>>> very surprised ... >>>>>>>> >>>>>>>> and..... does the curl fetch also fail ? >>>>>>>> >>>>>>>>> Mark Brethen >>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>>> On Jul 15, 2022, at 10:11 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 15/07/2022 4:08 pm, Mark Brethen wrote: >>>>>>>>>>> I checked big sur on my iMac, which came installed with big sur. It >>>>>>>>>>> also has version 7.64.1. >>>>>>>>>> >>>>>>>>>> how old is the cert.pem file though ? >>>>>>>>>> >>>>>>>>>> Does the fetch using /usr/bin/curl work there or not ? >>>>>>>>>> >>>>>>>>>> I’m surprised macports is using the native curl. Apple is notorious >>>>>>>>>> for not updating to the latest versions of software with each new OS. >>>>>>>>>>> Mark Brethen >>>>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>>>>> On Jul 15, 2022, at 9:55 AM, Chris Jones <jon...@hep.phy.cam.ac.uk >>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 15/07/2022 3:49 pm, Mark Brethen wrote: >>>>>>>>>>>>> -rw-r--r-- 1 root wheel 346545 Jan 1 2020 cert.pem >>>>>>>>>>>> >>>>>>>>>>>> The above could be your problem, as that is very old, 2.5 years or >>>>>>>>>>>> so now. It actually pre-dates the public release of macOS 11, >>>>>>>>>>>> which wasn't until November that year, which makes it quite >>>>>>>>>>>> suspicious... >>>>>>>>>>>> >>>>>>>>>>>> In comparison mine is from May this year, on macOS12. I would >>>>>>>>>>>> imagine the same on macOS 11 to be much more up to date than the >>>>>>>>>>>> above. >>>>>>>>>>>> >>>>>>>>>>>> This could be some relic of your big update from OSX10.13 to >>>>>>>>>>>> macOS11... >>>>>>>>>>>> >>>>>>>>>>>> So, I am not sure how, but you need the above to be updated I >>>>>>>>>>>> believe... >>>>>>>>>>>> >>>>>>>>>>>> Have you checked system update to make sure you are fully up to >>>>>>>>>>>> date ? >>>>>>>>>>>> >>>>>>>>>>>> Chris >>>>>>>>>>>> >>>>>>>>>>>>> ~ $ /usr/bin/curl --version >>>>>>>>>>>>> curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 >>>>>>>>>>>>> (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0 >>>>>>>>>>>>> Release-Date: 2019-03-27 >>>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap >>>>>>>>>>>>> ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp >>>>>>>>>>>>> Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos >>>>>>>>>>>>> Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets >>>>>>>>>>>>> Mark Brethen >>>>>>>>>>>>> mark.bret...@gmail.com <mailto:mark.bret...@gmail.com> >>>>>>>>>>>>> <mailto:mark.bret...@gmail.com <mailto:mark.bret...@gmail.com>> >>>>>>>>>>>>>> On Jul 15, 2022, at 9:44 AM, Chris Jones >>>>>>>>>>>>>> <jon...@hep.phy.cam.ac.uk <mailto:jon...@hep.phy.cam.ac.uk> >>>>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk >>>>>>>>>>>>>> <mailto:jon...@hep.phy.cam.ac.uk>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> /etc/ssl/cert.pem >>>>>>> >>>>>> >>>>> >>>> >>> >> >
