From Newsgroup: comp.sys.mac.system
On 22/03/2026 03:07, David LaRue wrote:
Hello,
I'm looking at a friend's Macbook OS X laptop. Many web sites aren't loading. Firefox at least told me that the web sites in question don't have an overlap of SSL Protocols to enable verification of the site and content. Safari just gave up and didn't offer an error message.
I am a linux and Windows user of FF. I've not touched a Mac since the 512+. How do I find the SSL Protocols on the Mac Book and update them?
Some update functions still work. I'm just not finding the appropriate network protocol settings. Where are they hidden on Apple Devices?
Thank you!
Hi David,
Since you're comfortable with a command line, you can bypass the
"Keychain Access" GUI and fix this directly via the Terminal. The issue
is almost certainly that the MacBook's local certificate store is
unaware of modern Root CAs (like ISRG Root X1) that have replaced the now-expired DST Root CA X3.
Here is how you can manually inject the new trust relationship:
1. Download the new Root Certificate
From the Terminal on the Mac (or download it on your machine and move
it via USB), grab the Let's Encrypt Root:
Bash
curl -O
https://letsencrypt.org/certs/isrgrootx1.der
2. Inject and Force Trust
Run the following command to import the certificate into the System
Keychain and explicitly set it to "Always Trust" for SSL. You will be
prompted for the friend's admin password:
Bash
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain isrgrootx1.der
3. Cleanup the Expired Certificate (Optional but Recommended)
If the system still struggles, it might be trying to use the old,
expired DST Root CA X3 first. You can find and delete it via the GUI
(Keychain Access -> System Roots), or try to locate it via CLI:
Bash
# To list certificates and find the exact name for deletion
security find-certificate -c "DST Root CA X3"
Why Safari is "Silent" vs Firefox
On older Macs, Safari uses the Secure Transport library built into OS X.
If that library doesn't support TLS 1.2 (common in OS X 10.8 or older),
Safari simply fails the handshake without a helpful error. Firefox is
your best bet for a "quick fix" browser because it brings its own
internal encryption libraries and root store, bypassing the aging Apple
system files.
The "Nuclear" Option (Linux)
If the laptop is a mid-2010s model, it’s likely a 64-bit Intel machine. Since you're a Linux user, you'll find that Linux Mint (Xfce) or
ChromeOS Flex runs beautifully on that hardware and will give your
friend a modern, secure browser environment without the "Apple Tax" of
forced obsolescence.
Good luck with the rescue mission!
(Assistance provided by Gemini)
--
Kind regards,
David B.
--- Synchronet 3.21d-Linux NewsLink 1.2