cmake issue with system libcurl on macOS 14.2

[hjmallon]

brew gist-logs <formula> link OR brew config AND brew doctor output

% brew config
HOMEBREW_VERSION: 4.2.2-4-g080e61f
ORIGIN: https://github.com/Homebrew/brew
HEAD: 080e61f9bc0aa36c246a5377e42657c75e04c9d3
Last commit: 11 hours ago
Core tap JSON: 02 Jan 11:46 UTC
Core cask tap JSON: 02 Jan 11:46 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_DISPLAY: /private/tmp/com.apple.launchd.XlAmkE4SKt/org.xquartz:0
HOMEBREW_MAKE_JOBS: 12
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.1.4 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: dodeca-core 64-bit kabylake
Clang: 15.0.0 build 1500
Git: 2.43.0 => /usr/local/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.2.1-x86_64
CLT: 15.1.0.0.1.1700200546
Xcode: 15.1

% brew config
Your system is ready to brew

Verification

• My "brew doctor output" says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update and am still able to reproduce my issue.
• I have resolved all warnings from brew doctor and that did not fix my problem.
• I searched for recent similar issues at https://github.com/Homebrew/homebrew-core/issues?q=is%3Aissue and found no duplicates.

What were you trying to do (and why)?

Upstream bug with reproducer is here https://gitlab.kitware.com/cmake/cmake/-/issues/25522

I was trying to use cmake to download some files, and when trying to file(DOWNLOAD) the same file twice from cmake the second try fails with "SSL connect error". This appears to have started with macOS 14.2's update to /usr/lib/libcurl.4.dylib.

Use the following reproducer download.cmake

cmake_minimum_required(VERSION 3.15)

message(STATUS "TRY 1")
file(DOWNLOAD "https://raw.githubusercontent.com/cpp-pm/hunter-cache/master/8fd7dea/GTest/1.14.0/2b28c2a/297e0ef/4830b34/e5fa44f/basic-deps.DONE" "${CMAKE_CURRENT_BINARY_DIR}/basic-deps.DONE" TLS_VERIFY ON STATUS status LOG log)
message("STATUS: ${status}")
message("LOG: ${log}")


message(STATUS "TRY 2")
file(DOWNLOAD "https://raw.githubusercontent.com/cpp-pm/hunter-cache/master/8fd7dea/GTest/1.14.0/2b28c2a/297e0ef/4830b34/e5fa44f/basic-deps.DONE" "${CMAKE_CURRENT_BINARY_DIR}/basic-deps.DONE.2" TLS_VERIFY ON STATUS status LOG log)
message("STATUS: ${status}")
message("LOG: ${log}")

What happened (include all command output)?

Run the reproducer with cmake -P download.cmake

STATUS: 35;"SSL connect error"
LOG:   Trying 185.199.111.133:443...
Connected to raw.githubusercontent.com (185.199.111.133) port 443
ALPN: curl offers h2,http/1.1
(304) (OUT), TLS handshake, Client hello (1):
[330 bytes data]
 CAfile: /etc/ssl/cert.pem
 CApath: none
(304) (IN), TLS handshake, Server hello (2):
[122 bytes data]
(304) (IN), TLS handshake, Unknown (8):
[19 bytes data]
(304) (IN), TLS handshake, Certificate (11):
[3050 bytes data]
LibreSSL/3.3.6: error:0DFFF0A1:lib(13):func(4095):reason(161)
Closing connection

What did you expect to happen?

cmake to function as it does with it's own copy of cmake (i.e. when build from source outside of brew). Perhaps brew could use system curl (or it's own libcurl) to work around the issue?

Step-by-step reproduction instructions (by running brew commands)

brew install cmake

# copy reproducer to download.cmake
cmake -P download.cmake

# TRY 1 will get correct 404, TRY 2 will get "SSL connect error"

[SMillerDev]

Perhaps brew could use system curl (or it's own libcurl) to work around the issue?

Brew uses system curl:

homebrew-core/Formula/c/cmake.rb

Lines 50 to 55 in 1352561

	if OS.mac?
	args += %w[
	--system-zlib
	--system-bzip2
	--system-curl
	]

So it seems like this should be reported to Apple.

[hjmallon]

So it seems like this should be reported to Apple

I was worried you were going to say that 😄. I'll have to fire a radr into the void.

[SMillerDev]

Yeah, maybe the CMake devs can help you get some attention to it. And make sure to post it here too so others can reference it if they have contacts inside

[Bo98]

You're likely seeing curl/curl#12525 which is fixed by curl/curl@9f2d229 (not currently in any release but Apple could cherry-pick it into their build).

Temporary workaround is CURL_SSL_BACKEND=SecureTransport (no TLS 1.3 but that's ok in this case).

[scivision]

On macOS 14.2 it seems system Curl is 8.4.0

% curl --version
curl 8.4.0 (x86_64-apple-darwin23.0) libcurl/8.4.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.55.1
Release-Date: 2023-10-11

[iMichka]

Closing here as the issue is not on our side.

[scivision]

It seems like once the Homebrew binary build uses the macOS update with new-enough Curl, the issue is resolved. The root cause seems to be the curl library version CMake Homebrew binary was built with.

[hjmallon]

I can reproduce this on Sonoma 14.3 too. Would brew consider using brew libcurl until their is an libcurl 8.6.0 and Apple import it?