cURL / Mailing Lists / curl-users / Single Mail


Important note for curl users on OS X Yosemite 10.10

From: Nick Zitzmann <>
Date: Fri, 17 Oct 2014 00:49:18 -0500

It's time to update this note I wrote for Mavericks, <>, for Yosemite users.

In Yosemite, they switched from version 7.30.0 to 7.37.1. Apple's own Secure Transport engine, not OpenSSL, is still used for TLS. And there have been a few changes since my last note that affect you if you use curl to access servers that use TLS:

1. You can now use the --cacert option again, for the purpose of connecting to servers with self-signed certificates. The catch? It only works with a single PEM- or DER-encoded certificate, and it ignores additional certificates in the file. This is a known problem in that version.

If this becomes a problem for you, then you can work around it by either:
1a. Using a newer version of curl than the one that comes with Yosemite. curl 7.38.0 supports certificate bundles when using the Secure Transport engine.
1b. Import the certificate bundle into your Keychain, and then discontinue your use of the --cacert option altogether.

I also think that using the --cacert and --insecure options together will result in an error, so don't do that. :)

2. You can now use the -E/--cert option, for the purpose of authenticating with a TLS host using a client certificate and private key. When using the option, you can either specify:
2a. The name of the certificate as it appears in your Keychain (the certificate's private key has to be present in the same Keychain in order for this to work),
2b. A path to a PKCS#12-encoded file on a disk, which contains both the certificate and the private key. (If it's in the present working directory, you need to add a ./ to the start of the path, or curl will assume you want to search the Keychain.)

Note that the file **must** be in P12 (PKCS#12) format. We can't load client certificates in PEM or DER format, as well as their private keys, because the API that would be necessary to make that work is unfortunately private, and I'd rather not have to explain to all of you why I got your curl-utilizing apps rejected from the App Store.

3. The -2/--sslv2 option will now raise an error if you try to use it. (Previously, the option was ignored.) Support for SSLv2 was removed from Secure Transport back in OS X 10.8, and it's not coming back. If you need to access a very old (1995-era) Web site that does not support at least SSLv3 or later, then you'll still need to build your own curl and use OpenSSL instead.

4. The --ssl-allow-beast option will now work, but I don't recommend using it unless you **really** know what you're doing. By default, curl will try to work around the BEAST problem when connecting to a site that uses CBC over TLS 1.0.

Nick Zitzmann

List admin:
Received on 2014-10-17