#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by cal@…): The problem is that Apple removed a 1024-bit root in Yosemite, that was used as a trust anchor for Google's (and possible other sites) certificates. Normally, this would not affect certificate validity, because one of the intermediate certificates in its chain is not a trusted root CA in OS X (in the case of Google, it's GeoTrust Global CA). However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by `-trusted_first` in `openssl s_client`), but this option needs to be enabled by each software separately. For curl, see https://www.mail-archive.com/curl- library@cool.haxx.se/msg11483.html. For python, see http://bugs.python.org/issue23476 (will be part of 2.7.10). -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:5> MacPorts <https://www.macports.org/> Ports system for OS X