I'm asking for feedback on a proposed change: I've implemented using a client certificate for TLS authentication in the curl_darwinssl code, but I had to make it work differently than the other back-ends, because Apple's Security framework expects the certificate and private key to be in the system or user Keychain instead of in a file on the disk.

So when the user uses the --cert option in the curl tool, they would provide the name of the certificate from the Keychain instead of a file, and would not have to provide a private key. I think NSS works the same way, but before I commit, I was wondering if it's okay if we do this if the difference is documented (which I did, in the man pages)? Unfortunately there's no public API that creates a SecIdentityRef data structure (which is the structure in Apple's Security framework that holds a certificate and private key) that allows the private key to exist outside of the Keychain.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html