is `curl --insecure` still needed ?

[AltGr]

This was added because of compatibility issues on many common installations, in which curl didn't have access to a reasonable list of root certificates (in particular for github). I am wondering if this is still an issue now ?

We still double-check md5s of course.

[avsm]

The other point of note is that Cohttp is now in good enough shape to download the vast majority of URLs via the safe TLS stack. I'm testing this out specifically in the https://github.com/avsm/opam-mirror utility

[AltGr]

Not relying on Curl anymore would indeed be quite cool.

[avsm]

Frustratingly, Curl now fails on MacOS X on some sites:

curl "--write-out" "%{http_code}\\n" "--insecure" "--retry" "3" "--retry-delay" "2" "-OL" "https://ocaml.janestreet.com/ocaml-core/112.17/files/sexplib-112.17.00.tar.gz"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0000
curl: (56) SSLRead() return error -9841

This appears to be due to a curl configuration option: http://stackoverflow.com/questions/26461966/osx-10-10-curl-post-to-https-url-gives-sslread-error

@yminsky, did the JS site recently disable SSLv3 to trigger this? I can workaround it by removing the https from the distfiles for now, and hope the md5 checksum is strong enough.

[dsheets]

--insecure already meant that we had no authentication against CA bundle...

[avsm]

The error above was due to protocol negotiation and not CA checking, I think

[AltGr]

Travis reports such failures to sourceforge, too (on OSX)
see for example
https://travis-ci.org/ocaml/opam/jobs/51460132

[camlspotter]

Is there any workaround for this issue?

[AltGr]

the latter ? Hm, if it doesn't find curl in your PATH, OPAM will use wget instead.
If you have a working curl command somewhere, set OPAMCURL to point at it (there is no similar way to specify a wget command at the moment though, curl-specific command-line args will be used after $OPAMCURL).

[avsm]

The issue is that curl is broken on MacOS x, so we need to force the use of wget. Time for another conf variable to OPAMFETCH or something? Could also add the cohttp-curl binary as an option too

On 27 Feb 2015, at 02:51, Louis Gesbert notifications@github.com wrote:

the latter ? Hm, if it doesn't find curl in your PATH, OPAM will use wget instead.
If you have a working curl command somewhere, set OPAMCURL to point at it (there is no similar way to specify a wget command at the moment though, curl-specific command-line args will be used after $OPAMCURL).

—
Reply to this email directly or view it on GitHub.

[AltGr]

The issue at hand (curl on OSX) is not really the one from the OP, but on that:
I confirm that it'll be fixed by #2040 -- as long that you have wget installed (if you only have curl, OPAM will still try to use it).

It doesn't only choose wget by default on the mac, I made it fully customisable: you can specify the command using OPAMFETCH or the download-command in ~/.opam/config ; variable expansion allows url and out in the command, e.g. in ~/.opam/config:

download-command: [ "cohttp-curl-lwt" url "-o" out ]

Or, equivalent: OPAMFETCH="cohttp-curl-lwt %{url}% -o %{out}%

Of course if you do that and the exe is installed within OPAM, you may get in trouble if it gets removed at some point or you create a new switch :)

While I was at it there is a similar interface for the external solver now.