curl / Mailing Lists / curl-library / Single Mail


Re: HTTPS-only curl mirrors

From: Ryan Schmidt <>
Date: Sun, 26 Nov 2017 09:55:56 -0600

On Nov 26, 2017, at 09:38, Daniel Stenberg wrote:

> I've just pushed changes to the curl web site that makes it no longer link to download mirrors that aren't using HTTPS.
> I blogged about it here:

The curl and openssl bundled with OS X 10.8.x and earlier cannot connect to your https server.

$ /usr/bin/curl -I
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

MacPorts uses that copy of libcurl. For this reason, MacPorts will continue to mirror your files on a CDN server with less restrictive https settings and which also allows http connections for even older systems.

MacPorts checksums the files it downloads, so it is not possible for a MITM attack on this or any other server MacPorts uses to result in MacPorts installing malicious code.

Received on 2017-11-26