curl-users
Please stop breaking curl
Date: Sat, 09 Nov 2013 10:21:19 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I run a service and have developed modules for Drupal and Wordpress
that integrate with the service. In order to connect to the service,
client-authenticated SSL is required. The service is a walled garden;
it uses none of the standard CA certificates for
verification. Recently relevant information is that the PKI
infrastructure I have set up uses keys larger than 4096 bits.
A very large customer of mine tried to install the Drupal module on
the standard Amazon Linux AMI and the module did not work. After a lot
of scrambling, I figured out that the RedHat based curl is compiled
against NSS rather than OpenSSL. With the recent update to OS X
Maverics (10.9), the curl is compiled against SecureTransport.
The specific problems with these changes is that there are no PHP
bindings to NSS or SecureTransport so I can't programmatically do
anything. I also can't install any >4096 bit keys or signatures into
SecureTransport so I can't manually do anything either.
While I personally can suffer doing manual operations to get curl
working (using certutil and friends) I am hesitant to ask customers
that want to use my service to do these things. And for my purposes,
Mac OS X has either become a non-functional development environment or
I'm faced with compiling OpenSSL and curl everytime I upgrade.
Going forward, I would like for the semantics of the curl options to
NOT mean different things on different OS's. I'm non-plussed at the
comment "think that's it. Other than --cacert I doubt these changes
will affect anyone" from
http://curl.haxx.se/mail/archive-2013-10/0036.html
What that says to me is that the curl development is either unaware of
my use case or doesn't care. Neither is particularly helping with my
frustration. I think a better way to have handled this is to provide
the option to use OS specific implementations (NSS or SecureTransport)
and have the distributions SET that option. That way that option can
be UNSET and the regular CLI works semantically correct on every OS.
CENTOS:
curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0
zlib/1.2.3 libidn/1.18 libssh2/1.4.2
--cacert <file> CA certificate to verify peer against (SSL)
--capath <directory> CA directory to verify peer against (SSL)
-E/--cert <cert[:passwd]> Client certificate file and password (SSL)
Mac OSX (Mavericks)
curl --version
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport
zlib/1.2.5
--cacert FILE CA certificate to verify peer against (SSL)
--capath DIR CA directory to verify peer against (SSL)
-E, --cert CERT[:PASSWD] Client certificate file and password (SSL)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSfn0UAAoJECJjgYtxgMHkE6wIAKfemspXwqV7v4tlcAbzoYXf
qT08hxvrhQyn+83XWguvOOExpNpUfL4qrTDjpRnLSsCp0m1BdioXCDt7/kjdXGxb
VHqbPpQX5EjjhX7vfS0HkOWcIvNqslZnH0PJeSowJnKwZ+6m4y+wORZuqNu8EsVO
O/sOe9yrJ9zu9IepOfZ3jqcJlbnLABsvwYOtFeGUedcB9RCnaYQ45MbV3KzRgoSg
LNKy8xWVjWFcSq+Tdjy0cipoCZFRaQws5qaGJ1+E+78/bycWEuX85OLrNDqs6x0+
CaLnKJNM82ZM86MW4+VB5CmJTtu3zxjmPvo2ylzjo+ejg5SRGq6eaxFa7eXb7Ag=
=Q1vX
-----END PGP SIGNATURE-----
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-09