With the introduction of Catalina version a year ago I started experiencing some new issues on my MacBook laptop when working with my existing instances of SAP HANA, express edition. These issues were consequences of the OS changes in the security area to protect casual users.
I see other users running into similar issues, so I would like to share with fixes I am using. If you have other tips, then please let me know in the comments!
NET::ERR_CERT_INVALID in Chromium-based web browsers
In Chromium-based web browsers (like Vivaldi, Brave, Chrome...)
NET::ERR_CERT_INVALID
is displayed, when opening any SAP HANA web application, like
https://hxehost:39030
.
The SAP HANA, express edition, is using self-signed certificate, but up to macOS 10.14 the page would be
NET::ERR_CERT_AUTHORITY_INVALID
. On Windows these web browsers still show
NET::ERR_CERT_AUTHORITY_INVALID
and you can see the link that allows you to accept the risk and to proceed to the page.
The reason for this behavior on macOS are the new security requirements for TLS server certificates in macOS 10.15:
https://support.apple.com/en-us/HT210176
The solution might be to move to another browser, like Firefox, where you still can get a link to accept the risk and to move on.
But if you do not want to switch a browser and feel geeky (plus know what you are doing!), then there is a
BYPASS_SEQUENCE
built-in into the Chromium.
This allows certificate errors "to be skippped by typing a secret phrase into the page.": https://chromium.googlesource.com/chromium/src/+/refs/heads/master/components/security_interstitials...
The current sequence is
dGhpc2lzdW5zYWZl
, which is Base64 decoded. After encoding it says
thisisunsafe
. And this is what you need to type on the keyboard to get pass the certificate error message in the browser.
Please note that:
- this bypass sequence is changing between different versions of Chromium, and
- with great power comes great responsibility!
“file” cannot be opened because the developer cannot be verified
If you download an executable file from the Internet using a web browser, then you may run into that message trying to run it: "
... cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware."
It happens e.g. when downloading SAP HANA Client install from
https://tools.hana.ondemand.com/#hanatools.
This happens because the macOS adds an extended attribute
com.apple.quarantine
to files.
You can spot files with extended attributes by
@
character that follows permission flags when using
ls -l
. You can see these extended attributes using
ls -l@
.
If you trust the files you downloaded, then the quarantine tag can be removed using
xattr -d
command, like
xattr -d com.apple.quarantine hanaclient-latest-macosx-x64.tar.gz
These extra attributes are not assigned when downloading files using e.g.
curl
, like:
curl "https://tools.hana.ondemand.com/additional/hanaclient-latest-macosx-x64.tar.gz" \
--output "hanaclient-latest-macosx-x64.tar.gz" \
--header "Cookie: eula_3_1_agreed=tools.hana.ondemand.com/developer-license-3_1.txt"
Please note that:
"Abort trap: 6", or "Invalid dylib load"
Since Catalina was released, different Python programs have been crashing with "Abort trap: 6" if there programs use encrypted communication.
Detailed stack would mention:
Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.
I did not find the single comprehensive explanation. I relied on this one:
https://bugs.python.org/issue38814#msg356779.
There were many different solutions proposed involving manual re-links. The one I found working for me was:
brew install openssl
export DYLD_FALLBACK_LIBRARY_PATH=/usr/local/opt/openssl/lib
Obviously you can skip openSSL installation, if it is already available in your OS.
I hope you find these fixes helpful...
...if ran into any of these issues.
And if you have any further details or different solutions, then please share them in the comments.
Stay healthy
❤️
-Vitaliy (aka
@Sygyzmundovych)