cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl with Darwin SSL and self-signed certificates

From: Oscar Koeroo <>
Date: Fri, 16 Aug 2013 19:00:08 +0200

Arun Victor <> schreef:
>Hi all,
>I've built libcurl with Darwin SSL (configured with the
>'--with-darwinssl' option). The sunny-day scenarios of using trusted
>certificates works just fine. Problem is that it does not seem to
>recognize self-signed certificates - I get a -9824 error
>(errSSLPeerHandshakeFail) from the Mac OS X Security / Secure Transport
>framework. Has anyone tried this successfully? i.e. use libcurl with
>Darwin SSL and self-signed certs?
>This is what I've done to import the cert into the Security Keychain -
>1. Opened Keychain Access and imported the cert (in .pem format
>with ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- tags) to 'System'
>and 'login' Keychains.
>2. I read a post that said it needs to be in the X509Anchors
>Keychain, which I did not see. So I created a new Keychain called
>'X509Anchors' and imported it into that Keychain as well.
>3. Opened my self-signed certificate in Keychain Access, expanded
>the 'Trust' section, and selected 'Always Trust'
>4. Read about deleting ~/Library/Preferences/*
>and did that.

Did you disable the peer verification? Self - signed certificates are designed to be used as trust anchor, not a host certificate. Depending on how you read the RFCs DarwinSSL is doing the right thing IMHO. Alternatively you can sign an (host) certificate from that self-signed cert.

List admin:
Received on 2013-08-16