On Sun, Oct 31, 2021 at 07:59:29AM -0400, "Richard L. Hamilton" <rlha...@smart.net> wrote:
> I think you're onto something here. (color highlighting added, not in the > original output) > > sh-3.2$ # 10.14 > sh-3.2$ /usr/bin/curl -sS https://ports.macports.org >/dev/null > curl: (60) SSL certificate problem: certificate has expired > # lines of advice in error message skipped here > sh-3.2$ /opt/local/bin/curl -sS https://ports.macports.org >/dev/null > sh-3.2$ echo $? > 0 > > (the expired above isn't surprising since I haven't updated the root > certificates on there) > > but > > sh-3.2$ # 10.6 > sh-3.2$ /usr/bin/curl -sS https://ports.macports.org/ >/dev/null > curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert > protocol version > sh-3.2$ /opt/local/bin/curl -sS https://ports.macports.org/ >/dev/null > sh-3.2$ echo $? > 0 > > On the 10.6, I had updated the root certificates...but the error > is different; evidently there have been changes to the protocol > and/or crypto used that merely updating the certificates does not > fix. The MacPorts version of curl still works fine. Note that pointing > Safari to that same URL (https://ports.macports.org/) also fails with > unable to establish secure connection. So on older systems, EVEN WITH > CERTIFICATES UPDATED, browsing with a non-updated browser and/or > one that uses system libcrypto will fail for various sites, as will > various non-browser software that tries to establish TLS connections > using system libcrypto. I'm fairly sure that Safari on 10.6 only supports TLSv1.0 which is a separate reason for it not being able to connect to websites. /usr/bin/curl might have the same problem. The ports.macports.org does not support TLSv1.0. If it did, old /usr/bin/curl might still work. It uses /usr/lib/libssl.44.dylib. Someone on the internet thinks that's old LibreSSL, but the first release that libressl.org admits to is v2.0.0. > So if mpstats is failing on curl, it's not using the MacPorts version > of curl. Which certainly would be distorting the stats against the > poor suffering older OS version users, even if, knowing they're poor > and suffering, they volunteer to provide stats. > > IMO, it should check if ${prefix}/bin/curl is present and use it if it > is, and only use the default if that isn't present - which in practice > probably would never happen, because so many ports ultimately depend > on the curl port. Interestingly it did NOT matter if PATH began with > /opt/local/bin when mpstats was run, it still found the OS version > rather than the MacPorts version. Yes. I think /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl is definitely indicating that the system curl is used for some things, and that must include mpstats. But updates still work. > > On Oct 31, 2021, at 05:37, raf <macpo...@raf.org> wrote: > > > > > > Actually, something looks wierd with macports statistics. > > > > On 10.14: > > > >> /opt/local/libexec/mpstats submit > > Submitting data to https://ports.macports.org/statistics/submit/ ... > > Error: Peer certificate cannot be authenticated with given CA certificates > > while executing > > "curl post "submission\[data\]=$json" $stats_url" > > > > On 10.6: > > > >> /opt/local/libexec/mpstats submit > > Submitting data to https://ports.macports.org/statistics/submit/ ... > > Error: SSL connect error > > while executing > > "curl post "submission\[data\]=$json" $stats_url" > > > > It has a LetsEncrypt certificate but this should work. It should be > > macport's > > curl that has its own CA bundle. > > > > The certificate chain does still contain "DST Root CA X3". I thought that > > was getting removed. > > > > Anyway, it looks like I didn't manage to fix my system root certificates > > after all, even though "ISRG Root X1" is installed (and "DST Root XA 3" is > > manually trusted just to be extra sure). :-) > > > > /usr/bin/curl is still failing, and for some reason, mpstats must be using > > /usr/bin/curl instead of /opt/local/bin/curl. That doesn't sound possible, > > but > > that's what it looks like. > > > > According to check_for_app in > > /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl, > > it looks like the curl that's used is the system one in /usr/bin. > > > > I think that means that macports does require the system root certificates > > to be functional (for some things at least). Is anyone else on old systems > > able to run "/opt/local/libexec/mpstats submit"? I read somewhere that > > errors > > are silently ignored during automatic submission. > > > > Could this be why https://ports.macports.org/statistics/ shows almost > > nothing > > for 10.{14,13,8,7,6,5,4}? Or are those numbers accurate? > > > > cheers, > > raf > -- > eMail: mailto:rlha...@smart.net
