On Fri, May 13, Daniel Stenberg wrote:
> On Wed, 11 May 2016, Rick Berge wrote:
>
> > On a 10.11 Mac with version "7.43.0", ssl_version "SecureTransport" it
> > just quietly, successfully connects. Since this is my primary
> > environment, I didn't even realize there was a certificate problem.
>
> I got this bug confirmed from an unofficial source associated with this
> particular vendor.
>
> This bug is apparently fixed in iOS 9.2 but not yet in any OS X release.

Ah good, thanks.

On Wed, 11 May 2016, Nick Zitzmann wrote:
> I agree that this is an Apple bug, and it should be filed at <https://bugreport.apple.com/>.
>
>> This said, I can't yet rule out that the bug isn't somewhere in our use of the
>> SecureTransport APIs...
>
> Our use of the APIs does not do any manual trust evaluation, except in the unusual
> situation where a stand-alone certificate or bundle is provided, and then it goes through
> the same API as the general use case. In general use, libcurl calls the Security framework's
> SSLHandshake() function, which internally calls SecTrustEvaluate(), which evaluates the
> server certificate chain against the certificates in the Keychain.
>
> In general, if Safari will connect to the site without rejecting the certificate, then curl will
> do the same, since they both use the Security framework for TLS. So if both Safari and
> curl will connect to the site, then the problem exists at a lower level than curl.

The site wasn't mine, so the certificate got fixed and I promptly lost any troubleshooting chance to see what safari, etc would do. Mainly I saw the code in lib/vtls/openssl.c for verifyhost(), and wasn't sure how widespread across the TLS apis it was for libcurl to do part of the verification.

Anyway, thanks all.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-17