Re: [Fink-devel] OpenSSL 1.0.2 certificates

[Hanspeter N. <fi...@sn...>]

On 1/2/17 9:19 AM, Derek Homeier wrote:
> Hi,
>
> I want to check if I am doing something very stupid here, since I am unable to properly
> use any apps linking to openssl100-shlibs (among others wget and python) since approximately
> the update to openssl-1.0.2, as it refuses to accept almost any host certificate:
>
> ariel:15579> curl -O https://www.openssl.org/source/openssl-1.0.2j.tar.gz
> % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                             Dload  Upload   Total   Spent    Left  Speed
> 100 5183k  100 5183k    0     0   985k      0  0:00:05  0:00:05 --:--:-- 1266k
> ariel:15580> wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
> --2017-01-02 15:03:01--  https://www.openssl.org/source/openssl-1.0.2j.tar.gz
> Resolving www.openssl.org... 2600:1406:1a:38f::c1e, 2600:1406:1a:38e::c1e, 104.91.180.27
> Connecting to www.openssl.org|2600:1406:1a:38f::c1e|:443... connected.
> ERROR: cannot verify www.openssl.org's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
> Unable to locally verify the issuer's authority.
> To connect to www.openssl.org insecurely, use `--no-check-certificate'.

according to 'fink info wget', you have to edit .wgetrc so that wget 
knows about the ca-bundle certificates.

   1. Install the 'ca-bundle' package.
   2. If you don't currently have $HOME/.wgetrc, generate it via
  .
   	cp /sw/etc/wgetrc $HOME/.wgetrc
  .
   3. Edit $HOME/.wgetrc with your favorite text editor and add the
   	following line to it:
  .
   	ca_certificate = /sw/etc/ssl/certs/ca-bundle.crt

I can confirm that wget fails here similarly to you before the edit, and 
downloads find after the change.

Hanspeter