cURL / Mailing Lists / curl-library / Single Mail


[PATCH] Support for client certificate authentication for darwinssl

From: Nick Zitzmann <>
Date: Wed, 6 Mar 2013 19:10:25 -0700

Before the feature window closes…

I've been working on adding support for client-side authentication in the curl_darwinssl code. The feature is working, but there's a catch, and that's why I wanted to bring this up here - I had to make it work differently than some of the other engines.

Because most of the engines load certificates from files, they load client certificates and private keys from files as well. But since the iOS/OS X Security framework stores and retrieves certificates and keys in a mutable bundle called a "keychain," the certificate and private key have to be present in the keychain for a task to use client authentication.

So with this patch applied, if CURLOPT_SSLCERT is set to some string, then curl_darwinssl will search the system & user keychains for a certificate with a name that matches the string, and its private key. If it can get both, then they are passed to the SSLContextRef, which will supposedly automatically find its intermediate certificates if it wasn't self-signed. If the certificate or private key can't be found in the keychain, or they're found but the user denied them access, then it errors out. The option CURLOPT_SSLKEY is not used.

So if I make a note of this in the documentation, does anyone have any objections to this change? Doesn't NSS do something similar?

Nick Zitzmann

List admin:

Received on 2013-03-07