Comments (15)
I think you want a explanation of "[ERROR] Failed to load trusted CA certificates ...".
It means aria2 (actually SSL library it linked to) tries to load system wide CA certificates but failed (you see that reason in the error line).
If you want to make the error disappear, specify CA certificate file using --ca-certificate option.
Alternatively you can use --check-certificate=false, but it is insecure because it turned off certificate checks for HTTPS sites.
from aria2.
@tatsuhiro-t There doesn't seem to be a reasonable choice for --ca-certificate on OSX since certs are handled via Keychain.
from aria2.
The situation in Mac is not good for certs at the moment.
If you have Linux installation, copy ca-certificates.crt to Mac and use it with --ca-certificate.
from aria2.
perhaps we could enlist the help of @nickzman who enabled native OS X crypto features in curl?
from aria2.
I think it works. Still it is a bit fragile because we don't have Mac OS compile platform. We have several Mac OS X only code in aria2, but when they were written, I could use Mac OS machine in compiler farm hosted by sf.jp. But it was gone. If we cannot compile and test on that platform, things can be easily broken.
from aria2.
I'm happy to do any testing. maybe we can find more Mac users who will also help.
from aria2.
Thank you! That is awesome.
from aria2.
comment from Nick:
"What TLS engine does it use? If it uses OpenSSL or GnuTLS or even NSS, then you need to provide it with a collection of trusted root certificates or they won't work. Apple doesn't ship such a collection with OS X anymore outside of the certificates in the system roots keychain.
If you want to use the system roots keychain instead of a certificate bundle, then you either need to use Secure Transport as the TLS engine (best), or write a certificate validation callback that uses the Security framework to evaluate the trust (okay). Apple has deprecated their OpenSSL library in OS X, and iOS doesn't include OpenSSL at all, so it would be better if you use ST instead."
from aria2.
Nick did the Secure Transport (OS X specific) stuff for curl & Marc Hoersken did the schannel (Windows specific) parts for curl.
maybe it is worth looking how curl does these & implementing them for aria2? it seems like there are a number of users on each platform.
also, how does curl handle ca-certificates.crt? doesn't it provide some update mechanism (update-ca-certificates)? or maybe you could add some documentation for users on platforms that don't include it. http://curl.haxx.se/ca/
from aria2.
Well, one should first define a common interface for TLS as an abstraction, instead of interleaving OpenSSL/GnuTLS code all throughout the socket core code.
Once that is done, one might implement other stuff like OSX ST, Win SChannel/CryptoAPI, NSS bindings.
Also, as a fast work-around for (home)brew users and maybe others, one could teach aria2 configure or runtime to use the CA file brew curl-ca-bundle or other packages provide, just like the aria2 formula https://github.com/mxcl/homebrew/blob/master/Library/Formula/aria2.rb
That is, in the absence of an explicit --with-ca-bundle, check for the CA file in commonly used locations:
- http://mercurial.selenic.com/wiki/CACertificates (Nice list regarding linux distros)
- https://github.com/mxcl/homebrew/blob/master/Library/Formula/aria2.rb (OSX brew)
from aria2.
I heard that curl once bundled ca certificates but it was deprecated. I checked debian's ca-certificate package and it has update script but it relies on the certain directory structure suitable for Debian or Ubuntu.
I agree that abstracting TLS code in SocketCore is a good first step.
from aria2.
would it be worth temporarily having build_osx_release.sh grab CA certs from http://curl.haxx.se/docs/caextract.html ?
from aria2.
I think yes, if it just only need few lines of code.
from aria2.
TLS interface abstraction was complete. See src/TLSSession.h
from aria2.
problem fixed, thanks guys! :)
closing this now.
from aria2.
Related Issues (20)
- Aria2 Download queue
- aria2.session cannot write and this issue leads not to dowload
- Why is the executable file called 'aria2c' (instead of 'aria2')
- Aria2c RPC Method changeUri doesn't work HOT 1
- 关于开启https无法访问的问题 HOT 8
- How to request SFTP compression?
- Aria2 control files regularly fail to rename from aria2__temp to aria2 and do not get deleted post-download
- Support file uri scheme
- msys2-mingw64 提示 error: 'gettimeofday' was not declared in this scope; did you mean 'gettimeofday_ms'?
- HLS fragments
- Problem compiling in mingw static. undefined reference to `libiconv_set_ relocation_prefix HOT 2
- option --follow-torrent=false doesn't work
- aria2c incompatible with most CDNs
- Subfolder support for metalink HOT 1
- File Version property shouldn't be empty
- OSError: [Errno 99] Cannot assign requested address HOT 1
- OSX10.7 aria2
- Fail to resume download, where some files have been done and others not.
- --pause + RPC not working HOT 1
- The -o option could offer a substitution pattern for the original basename
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aria2.