This page indexes all the SSL/TLS problems we've had, and also records the recent SSL/TLS problem we've had.
Recent SSL/TLS issue
Recently, two MacOS 10 users had an SSL error where, even though we had implemented the CURL fallback, even CURL was using certificates which wouldn't download from our 07th-mod site.
Previously, we only used CURL (set the CURL executable) if it could download from the 07th-mod website.
Now, we set the CURL executable as long as it is available (even if it cannot download).
Then, we try to figure out which CURL certificate we should use, by trying each one:
Use whatever the default is (no argument passed to CURL)
Use any certificates found on the system (currently we only find certs on Linux though)
Use the bundled certificate
The installer will try both the 07th-mod and github websites, and if a cert works with both then it chooses that one for the rest of the install.
The bundled certificate is retrieved from the CURL website https://curl.se/docs/caextract.html . It will be updated each time the installer is rebuilt. We would need to re-build the installer periodically as the certs would eventually expire, though, but I guess this is a last resort anyway.
Known Issues
Testing the certifcate requires/uses only CURL
Currently Python's URLOpen does not use the chosen certificate. But wherever it is used in the installer, we have a CURL fallback.
Also, while this certificate is also passed into Aria2, I noticed that on my Windows machine it doesn't like the certificate format. But on the MacOS logs, it appears to use the certificate.
This page indexes all the SSL/TLS problems we've had, and also records the recent SSL/TLS problem we've had.
Recent SSL/TLS issue
Recently, two MacOS 10 users had an SSL error where, even though we had implemented the CURL fallback, even CURL was using certificates which wouldn't download from our 07th-mod site.
To fix this, I sent one user a version of the installer which uses a bundled certificate, if all else fails (as suggsted in https://github.com/07th-mod/python-patcher/issues/80).
Further Explanation
Previously, we only used CURL (set the CURL executable) if it could download from the 07th-mod website.
Now, we set the CURL executable as long as it is available (even if it cannot download).
Then, we try to figure out which CURL certificate we should use, by trying each one:
The installer will try both the 07th-mod and github websites, and if a cert works with both then it chooses that one for the rest of the install.
The bundled certificate is retrieved from the CURL website https://curl.se/docs/caextract.html . It will be updated each time the installer is rebuilt. We would need to re-build the installer periodically as the certs would eventually expire, though, but I guess this is a last resort anyway.
Known Issues
List of previous TLS/SSL issues