cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl with Darwin SSL and self-signed certificates

From: Nick Zitzmann <>
Date: Fri, 16 Aug 2013 13:25:11 -0600

On Aug 16, 2013, at 10:46 AM, Arun Victor <> wrote:

> Hi all,
> I've built libcurl with Darwin SSL (configured with the '--with-darwinssl' option). The sunny-day scenarios of using trusted certificates works just fine. Problem is that it does not seem to recognize self-signed certificates - I get a -9824 error (errSSLPeerHandshakeFail) from the Mac OS X Security / Secure Transport framework. Has anyone tried this successfully?

I did, obviously. It worked for me.

> i.e. use libcurl with Darwin SSL and self-signed certs?
> This is what I've done to import the vert into the Security Keychain -

If this site is a Web site, one other thing you could try is visiting the site in Safari. You'll see a security panel indicating that the site's certificate is not trusted. Check the "always trust" check box and proceed. Safari ought to save the certificate in the keychain and set the permissions correctly.

> 1. Opened Keychain Access and imported the cert (in .pem format with ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- tags) to 'System' and 'login' Keychains.
> 2. I read a post that said it needs to be in the X509Anchors Keychain, which I did not see. So I created a new Keychain called 'X509Anchors' and imported it into that Keychain as well.

Don't ever touch the X509Anchors keychain, or any other keychain that is in the /System/Library/Keychains folder. That keychain contains Apple's root certificates. If you need a self-signed certificate that will be trusted by all users, then you need to put the certificate in the System keychain. Despite the name, that one lives in /Library/Keychains and is safe to modify.

Nick Zitzmann

List admin:
Received on 2013-08-16