cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: A darwinssl-related bug again

From: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
Date: Fri, 29 Aug 2014 01:02:53 +0200

On Thu, Aug 28, 2014 at 1:55 AM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
> On Thu, Aug 28, 2014 at 1:29 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>>
>> On Aug 27, 2014, at 4:55 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>>
>>> Heya,
>>>
>>> Bug #1417 was just filed, identifying a client cert failure on Mac OS X using the darwinssl backend: https://sourceforge.net/p/curl/bugs/1417/
>>
>> This is not a bug. The darwinssl back-end does not support client certificates in PEM or DER format, because the Security framework function I need to make this work is private API. Only client certificates in P12 format are supported, and only in OS X 10.7 or later, because the Security framework does have a public API for importing a client certificate and private key in PKCS#12 format.
>>
>>> There's also still bug #1404 remaining, which is the darwinssl backend failing to verify the server (wildcard?) cert. Several people have chimed in there with the same problem. https://sourceforge.net/p/curl/bugs/1404/
>>
>> It looks like it only happens with a custom certificate bundle. I'll take a look.
>
> This seems to be a problem with SecTrustEvaluate() returning
> kSecTrustResultRecoverableTrustFailure. Probably it's only a matter of
> calling SecTrustGetTrustResult() and checking for a more exact failure
> code. I'll look into it.

The comment about wildcard certificates was a red herring it seems.

The problem is that if the user via --cacert supplies a certificate
bundle with multiple CA certificates in it, curl_darwinssl.c will only
use the first one.

For a fix, see https://github.com/ldx/curl/tree/darwinsslfix

Can someone confirm this works? I tested it on OS X 10.9 with
- the cacerts.pem bundle from the ticket,
- a cert file containing only one cert and
- a DER cert file.

Thanks,
Vilmos

>> Nick Zitzmann
>> <http://www.chronosnet.com/>
>>
>>
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-29

This message: [ Message body ]
Next message: Nick Zitzmann: "Re: A darwinssl-related bug again"
Previous message: Daniel Stenberg: "Re: [PATCH] Use -1, not 0, to reset values of progress.size_dl and progress.size_ul"
In reply to: Vilmos Nebehaj: "Re: A darwinssl-related bug again"
Next in thread: Nick Zitzmann: "Re: A darwinssl-related bug again"
Reply: Nick Zitzmann: "Re: A darwinssl-related bug again"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]