curl-library
Re: [curl:bugs] #1404 Certificate verification fails using DarwinSSL (fwd)
Date: Thu, 7 Aug 2014 09:13:12 +0200
On Wed, Aug 6, 2014 at 2:07 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> Hi friends!
>
> We could use some Mac devs to check this out... It suggests commit
> cd2cedf002a broke functionality in the darwinssl backend.
>
> See https://sourceforge.net/p/curl/bugs/1404/
>
> --
>
> / daniel.haxx.se
>
> ---------- Forwarded message ----------
>
> ** [bugs:#1404] Certificate verification fails using DarwinSSL**
>
> **Status:** open
> **Labels:** DarwinSSL **Created:** Tue Aug 05, 2014 06:18 PM UTC by Tzu
> **Last Updated:** Tue Aug 05, 2014 06:18 PM UTC
> **Owner:** nobody
>
> Curl release version 7.37.1 broke SSL negotiation using DarwinSSL. This
> worked fine on version 7.37.0. As suggested to me earlier on the irc
> channel, I have built curl from git repository to do a git bisect.
>
> Environment details:
>>
>> OS: Mac OS X 10.9.4 (Darwin Kernel Version 13.3.0)
>> clang: Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)
>
>
> ~/curl ❯❯❯ src/curl --version
> curl 7.38.0-DEV (x86_64-apple-darwin13.3.0) libcurl/7.38.0-DEV
> SecureTransport zlib/1.2.5 libidn/1.28 libssh2/1.4.3 librtmp/2.3
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
> pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
> Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz
>
> ~/curl ❯❯❯ src/curl -v https://somedomain.com/path
> * Hostname was NOT found in DNS cache
> * Trying 54.197.232.19...
> * Connected to somedomain.com (54.197.232.19) port 443 (#0)
> * SSL: certificate verification failed (result: 5)
> * Closing connection 0
Any chance it is a self-signed certificate 'somedomain.com' uses?
What happens when the certificate is downloaded and used i.e. curl
--cacert <cert.pem> -v https://somedomain.com/path
If it is a public website, please let me know the actual URL.
Thanks,
Vilmos
> After doing a git bisect on the repository starting from 7.37.0 to 7.37.1,
>
>> ~/curl git:bisect/good-c6d5f80d8b6ec795a3f88833d6f7c471fe8f2b4c:bisect ❯❯❯
>> git bisect good
>> cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7 is the first bad commit
>> commit cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7
>> Author: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
>> Date: Thu Apr 17 07:03:05 2014 -0700
>
>
>> Add support for --cacert in DarwinSSL.
>
>
>> Security Framework on OS X makes it possible to supply extra anchor
>> (CA)
>> certificates via the Certificate, Key, and Trust Services API. This
>> commit makes the '--cacert' option work using this API.
>
>
>> More information:
>
> >
> https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html
>
>> The HTTPS tests now pass on OS X except 314, which requires the '--crl'
>> option to work.
>
>
>> :040000 040000 ff22873e78147e1085203d748d4356bfcb07527e
>> 11e40c9c116e53483e4fdac92b19e3761ae7fe47 M lib
>
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-07