HTTPS downloads from certain sites fail with TLS cert errors

[F30]

• ran brew update and can still reproduce the problem?
• ran brew doctor, fixed all issues and can still reproduce the problem?

There is a (supposed) bug in macOS' built-in cURL, which is used by Homebrew. It makes downloads from certain HTTPS sites fail with this error messages:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

The sites' certificate is actually not expired, and connections with browsers and other cURL builds work perfectly fine. Instead, macOS cURL considers two specific root CA certificates expired despite there being updated certificates using the same keys.

Please see the announcement from the CA and my analysis of the issue on Information Security StackExchange for details.

What you were trying to do (and why)

brew cask reinstall dash

Since this is a cask command, I first reported it to Homebrew-Cask as Homebrew/homebrew-cask#83481. However, @vitorgalvao replied that it should be reported here instead.

That is somewhat warranted, since the issue is indeed broader and may quite likely also affect Formulae. However, I only specifically know of affected Casks at the moment.

What happened (include command output)

==> Downloading https://kapeli.com/downloads/v5/Dash.zip

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Error: Download failed on Cask 'dash' with message: Download failed: https://kapeli.com/downloads/v5/Dash.zip

What you expected to happen

Successful (re-) installation.

Step-by-step reproduction instructions (by running brew commands)

See above, but take into account that this is only an example of the problems caused by the issue.

[wwk-github]

Maybe?:
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

[F30]

@wak-github: This is the exact same article I already referenced in the report, as well as the more detailed discussion on Information Security Stack Exchange.

[Bo98]

Indeed it's an issue with system curl on macOS. I'm trying to figure out why though.

There was an OpenSSL 1.0 bug, but as far as I know the version of LibreSSL that macOS uses should have that patch. I likely have missed something though.

I believe the issue can be fixed serverside if the server is configured to not send expired intermediates (e.g. one of the Comodo intermediates which expired at the same time as the AddTrust root), but we'll probably need to think of something to workaround it from the client end.

[wwk-github]

Server-side should help.

Download PEMs from:
https://crt.sh/?id=1199354
https://crt.sh/?id=1720081
https://crt.sh/?id=2841410
https://crt.sh/?id=2835394

$ ls
1199354.crt 1720081.crt 2835394.crt 2841410.crt
$ cat * > all.crt

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-shared-system-certificates

For RedHat 7:

$ cp all.crt /usr/share/pki/ca-trust-source/anchors/
$ update-ca-trust

[F30]

According to Ryan Sleevi, setting CURL_SSL_BACKEND=secure-transport is supposed to mitigate the issue. However, this does not work for me on 10.14.

[wwk-github]

@F30 if a working curl is all you need, you can use curl with--cacert parameter with the cacerts file from my previous post.
curl --cacert all.crt -v https://site-with-ssl-address

[MikeMcQuaid]

Happy to discuss workarounds here but given this is a macOS curl bug I consider it an upstream and/or server issue rather than a Homebrew one.

[Bo98]

• The CURL_SSL_BACKEND=secure-transport workaround works, but for 10.15 only.
• For earlier macOS versions, there's no real workaround besides forcing brewed curl instead (HOMEBREW_FORCE_BREWED_CURL=1), or messing around with the cert store if you want to go there. It is unclear to me if Apple will ever fix these versions (could be seen as out-of-scope for a security update).
• For Linux, ensure system curl is not compiled with OpenSSL 1.0. Otherwise use HOMEBREW_FORCE_BREWED_CURL=1. We could incorporate this into the version check.

The core LibreSSL bug has been filed here: libressl/portable#595

For anyone wondering if anything in homebrew-core is affected (as in the actual software - not the curl download): Homebrew does not use LibreSSL in any formula besides movgrab, and even for that the default cert store used by brewed LibreSSL is not affected.