cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: A darwinssl-related bug again

From: Toby Peterson <toby_at_apple.com>
Date: Wed, 03 Sep 2014 14:23:49 -0700

> On Sep 3, 2014, at 03:41, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>
> On Wed, Sep 3, 2014 at 11:55 AM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>> On Wed, Sep 3, 2014 at 1:16 AM, Toby Peterson <toby_at_apple.com> wrote:
>>> On Aug 29, 2014, at 03:55, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>>
>>>> On Fri, Aug 29, 2014 at 1:56 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>>>>>
>>>>> On Aug 28, 2014, at 6:02 PM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>>>
>>>>>> The comment about wildcard certificates was a red herring it seems.
>>>>>>
>>>>>> The problem is that if the user via --cacert supplies a certificate
>>>>>> bundle with multiple CA certificates in it, curl_darwinssl.c will only
>>>>>> use the first one.
>>>>>>
>>>>>> For a fix, see https://github.com/ldx/curl/tree/darwinsslfix
>>>>>>
>>>>>> Can someone confirm this works? I tested it on OS X 10.9 with
>>>>>> - the cacerts.pem bundle from the ticket,
>>>>>> - a cert file containing only one cert and
>>>>>> - a DER cert file.
>>>>>
>>>>> Great! I can confirm that this works with the PEM bundle in the bug report.
>>>>>
>>>>> Could you please clean up the compiler warnings, fix the code style issues (which you can see by building the project with --enable-debug specified), remove the "SSL: parsing CA certificate file" and "SSL: certificate verification succeeded" verbose log messages, and then submit a pull request?
>>>>
>>>> Here it is:
>>>>
>>>> https://github.com/bagder/curl/pull/114
>>>>
>>>> Thanks Nick!
>>>
>>> Quick followup. 4c134bc seems to function as intended - thanks! However, the second change (0426670) breaks the build on iOS, because SecCertificateCopyPublicKey is not available. I'm not aware of a good replacement, unfortunately. #ifdef'ing that check out works, of course.
>>
>> The only reason for using SecCertificateCopyPublicKey() is to check if
>> the CA certificate was valid. Let me try some other
>> SecCetificateCopy*() functions that are available on iPhone to see if
>> they also catch invalid certificates.
>
> This PR fixes the issue:
>
> https://github.com/bagder/curl/pull/116
>
> Toby, can you test this compiles for iPhone? Thanks!

Yes, that change builds for iOS, and also appears to work (no cert verification errors).

- Toby

>
>> Vilmos
>>
>>> - Toby
>>>
>>>>
>>>> Cheers,
>>>> Vilmos
>>>>
>>>>> Thanks!
>>>>>
>>>>> Nick Zitzmann
>>>>> <http://www.chronosnet.com/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>>
>>>> -------------------------------------------------------------------
>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-03