curl-library
Re: A darwinssl-related bug again
Date: Fri, 29 Aug 2014 01:02:53 +0200
On Thu, Aug 28, 2014 at 1:55 AM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
> On Thu, Aug 28, 2014 at 1:29 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>>
>> On Aug 27, 2014, at 4:55 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>>
>>> Heya,
>>>
>>> Bug #1417 was just filed, identifying a client cert failure on Mac OS X using the darwinssl backend: https://sourceforge.net/p/curl/bugs/1417/
>>
>> This is not a bug. The darwinssl back-end does not support client certificates in PEM or DER format, because the Security framework function I need to make this work is private API. Only client certificates in P12 format are supported, and only in OS X 10.7 or later, because the Security framework does have a public API for importing a client certificate and private key in PKCS#12 format.
>>
>>> There's also still bug #1404 remaining, which is the darwinssl backend failing to verify the server (wildcard?) cert. Several people have chimed in there with the same problem. https://sourceforge.net/p/curl/bugs/1404/
>>
>> It looks like it only happens with a custom certificate bundle. I'll take a look.
>
> This seems to be a problem with SecTrustEvaluate() returning
> kSecTrustResultRecoverableTrustFailure. Probably it's only a matter of
> calling SecTrustGetTrustResult() and checking for a more exact failure
> code. I'll look into it.
The comment about wildcard certificates was a red herring it seems.
The problem is that if the user via --cacert supplies a certificate
bundle with multiple CA certificates in it, curl_darwinssl.c will only
use the first one.
For a fix, see https://github.com/ldx/curl/tree/darwinsslfix
Can someone confirm this works? I tested it on OS X 10.9 with
- the cacerts.pem bundle from the ticket,
- a cert file containing only one cert and
- a DER cert file.
Thanks,
Vilmos
>> Nick Zitzmann
>> <http://www.chronosnet.com/>
>>
>>
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-29