curl-library
Re: libcurl with Darwin SSL and self-signed certificates
Date: Fri, 16 Aug 2013 19:00:08 +0200
Arun Victor <AVictor_at_flexerasoftware.com> schreef:
>Hi all,
>
>I've built libcurl with Darwin SSL (configured with the
>'--with-darwinssl' option). The sunny-day scenarios of using trusted
>certificates works just fine. Problem is that it does not seem to
>recognize self-signed certificates - I get a -9824 error
>(errSSLPeerHandshakeFail) from the Mac OS X Security / Secure Transport
>framework. Has anyone tried this successfully? i.e. use libcurl with
>Darwin SSL and self-signed certs?
>
>This is what I've done to import the cert into the Security Keychain -
>
>1. Opened Keychain Access and imported the cert (in .pem format
>with ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- tags) to 'System'
>and 'login' Keychains.
>
>2. I read a post that said it needs to be in the X509Anchors
>Keychain, which I did not see. So I created a new Keychain called
>'X509Anchors' and imported it into that Keychain as well.
>
>3. Opened my self-signed certificate in Keychain Access, expanded
>the 'Trust' section, and selected 'Always Trust'
>
>4. Read about deleting ~/Library/Preferences/com.apple.security.*
>and did that.
>
>Thanks,
>Arun.
Did you disable the peer verification? Self - signed certificates are designed to be used as trust anchor, not a host certificate. Depending on how you read the RFCs DarwinSSL is doing the right thing IMHO. Alternatively you can sign an (host) certificate from that self-signed cert.
Oscar
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-16