Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

revert setting --insecure to download ca-certificates #18800

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

EricFromCanada
Copy link
Member

@EricFromCanada EricFromCanada commented Nov 22, 2024

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

Previously, adding --insecure was necessary for curl to download the ca-certificates .pem file on older macOS versions. At some point since then, the way Homebrew downloads this file was changed in a way that happens to allow stock curl on macOS 10.11 & 10.12 (curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8) to download it during installation without needing --insecure.

This would have gone unnoticed, except that now adding --insecure actively prevents downloading from servers whose certificates rely on SNI because of a quirk of Secure Transport:

$ /usr/bin/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.4.6-25-gf597978\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 10.12.6\)\ curl/7.54.0 --header Accept-Language:\ en --fail --retry 3 --insecure --remote-time --output /Users/vmadmin/Library/Caches/Homebrew/downloads/4080d87775c0373afc13f3d24afaa24bdbbec40879ce7e9c09896f1ab36e5259--cacert-2024-09-24.pem.incomplete --location https://curl.se/ca/cacert-2024-09-24.pem --http1.1 --verbose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.1.91...
* TCP_NODELAY set
* Connected to curl.se (151.101.1.91) port 443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: n.sni-347-default.ssl.fastly.net
* Server certificate: GlobalSign Atlas R3 DV TLS CA 2024 Q4
* Server certificate: GlobalSign
> GET /ca/cacert-2024-09-24.pem HTTP/1.1
> Host: curl.se
> User-Agent: Homebrew/4.4.6-25-gf597978 (Macintosh; Intel Mac OS X 10.12.6) curl/7.54.0
> Accept: */*
> Accept-Language: en
> 
* The requested URL returned error: 421 Misdirected Request
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (22) The requested URL returned error: 421 Misdirected Request

This doesn't affect macOS 10.13 and later, whose curl uses LibreSSL (curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0).

Removing the code for adding --insecure to download ca-certificates allows fresh installs on macOS 10.11 & 10.12 to work again, which now only need the flag when downloading API *.json files from GitHub.

(This also removes a long-forgotten --insecure reference in vendor-install.sh.)

Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great news, thanks @EricFromCanada!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants