Concerning problems with updates from mirror.ctan

[Karl Berry]

Hi Robert,
    
    | $./tlpkg/installer/wget.x86_64-darwinlegacy https://mirror.ctan.org
    | https://mirror.ctan.org: HTTPS support not compiled in.

Well, it's the same basic problem, but FWIW it looks to me like TL is
using the system curl, not the TL wget:

  D:TLUtils::download_file: downloading using curl succeeded

I surmise the system curl also does not support https?

    http://www.ctan.org/tex-archive/systems/texlive/tlnet/tlpkg/texlive.tlpdb

Ultimately I think the issue is that an http://www.ctan.org url
redirects (usually or always, not sure) to an https mirror. So if the
download program doesn't support https, it's doomed to failure.

Another issue is that once www.ctan.org is the server hostname being
used, different mirrors can be chosen on different downloads, leading to
inconsistencies and failure. The server has to be an explicit host.

The only solution I see is to explicitly use a mirror, as you wrote:

    Everything works fine if I specify a repository manually (other than 
    mirror.ctan.org), be it https, http or ftp. 

But ... I don't understand how an https mirror can work if your download
programs don't support https?

    D:TLUtils::download_file: downloading using curl succeeded
    D:persistent connection set up, trying to get 

I also don't understand how persistent connections can be set up using
curl (or wget). My understanding is that persistent connections are only
possible with LWP. Maybe it's just an erroneous debugging message.

    D:TLDownload::get_file: response error: 500 Can't verify SSL peers 
    without knowing which Certificate Authorities to trust (for 

I don't think this will solve your problem, but I think we should pass
--insecure to curl, and (especially) --no-check-certificates to wget,
because it's inevitable that the cert chains will be out of date on
older systems, and nonexistent when the TL wget is used.

Norbert, wdyt? --thanks, karl.