On Nov 26, 2017, at 09:38, Daniel Stenberg wrote:

> I've just pushed changes to the curl web site that makes it no longer link to download mirrors that aren't using HTTPS.
>
> I blogged about it here:
>
> https://daniel.haxx.se/blog/2017/11/26/https-only-curl-mirrors/

The curl and openssl bundled with OS X 10.8.x and earlier cannot connect to your https server.

$ /usr/bin/curl -I https://curl.haxx.se/download/curl-7.56.1.tar.gz
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

MacPorts uses that copy of libcurl. For this reason, MacPorts will continue to mirror your files on a CDN server with less restrictive https settings and which also allows http connections for even older systems.

MacPorts checksums the files it downloads, so it is not possible for a MITM attack on this or any other server MacPorts uses to result in MacPorts installing malicious code.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-26