On Aug 19, 2013, at 9:47 AM, "Xia, Bing" <bxia_at_microstrategy.com> wrote:

> Hello,
>
> I'm using iOS libcurl and I'm glad that it supports CURLOPT_SSLCERT option now. But it requires we import the certificate and key into the keychain first. Since after uninstalling an app, its keychain is not deleted, this leaves a security hole. Could the iOS libcurl also support reading the certificate and key from disk file instead of from keychain? Thank you.

It's complicated, for largely political reasons. We can't support PEM or DER certificates, because Apple does not have a public function for creating a SecIdentityRef from file data for both the certificate and the key loaded from separate files.

Apple does, however, have a function that turns P12 file data into a SecIdentityRef. I think that would solve your problem. I just noticed that the OpenSSL engine also supports P12 files in the CURLOPT_SSLCERT option, but this isn't documented anywhere AFAICT. Perhaps I ought to document this, and then add support for it in the curl_darwinssl code.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-19