#47805: curl @7.42.1_0+ssl, openssl @1.0.2a_0 - SSL certificate problem: unable to get local issuer certificate ---------------------------+-------------------------- Reporter: fabien@… | Owner: ryandesign@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: Port: curl openssl | ---------------------------+-------------------------- Comment (by fabien@…): Replying to [comment:5 cal@…]:
The problem is that Apple removed a 1024-bit root in Yosemite, that was used as a trust anchor for Google's (and possible other sites) certificates. Normally, this would not affect certificate validity, because one of the intermediate certificates in its chain is not a trusted root CA in OS X (in the case of Google, it's GeoTrust Global CA).
However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by `-trusted_first` in `openssl s_client`), but this option needs to be enabled by each software separately.
For curl, see https://www.mail-archive.com/curl- library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up).
For python, see http://bugs.python.org/issue23476 (will be part of 2.7.10).
[[BR]] Ok, but how can we explain that cUrl works when '''certsync''' is actived, and not with '''curl-ca-bundle''' ? {{{ curl https://www.chronopost.fr/recherchebt-ws- cxf/PointRelaisServiceWS?wsdl }}} Thx, Fabien -- Ticket URL: <https://trac.macports.org/ticket/47805#comment:8> MacPorts <https://www.macports.org/> Ports system for OS X