On Wed, Sep 3, 2014 at 11:23 PM, Toby Peterson <toby_at_apple.com> wrote:
>
>> On Sep 3, 2014, at 03:41, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>
>> On Wed, Sep 3, 2014 at 11:55 AM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>> On Wed, Sep 3, 2014 at 1:16 AM, Toby Peterson <toby_at_apple.com> wrote:
>>>> On Aug 29, 2014, at 03:55, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>>>
>>>>> On Fri, Aug 29, 2014 at 1:56 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>>>>>>
>>>>>> On Aug 28, 2014, at 6:02 PM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>>>>
>>>>>>> The comment about wildcard certificates was a red herring it seems.
>>>>>>>
>>>>>>> The problem is that if the user via --cacert supplies a certificate
>>>>>>> bundle with multiple CA certificates in it, curl_darwinssl.c will only
>>>>>>> use the first one.
>>>>>>>
>>>>>>> For a fix, see https://github.com/ldx/curl/tree/darwinsslfix
>>>>>>>
>>>>>>> Can someone confirm this works? I tested it on OS X 10.9 with
>>>>>>> - the cacerts.pem bundle from the ticket,
>>>>>>> - a cert file containing only one cert and
>>>>>>> - a DER cert file.
>>>>>>
>>>>>> Great! I can confirm that this works with the PEM bundle in the bug report.
>>>>>>
>>>>>> Could you please clean up the compiler warnings, fix the code style issues (which you can see by building the project with --enable-debug specified), remove the "SSL: parsing CA certificate file" and "SSL: certificate verification succeeded" verbose log messages, and then submit a pull request?
>>>>>
>>>>> Here it is:
>>>>>
>>>>> https://github.com/bagder/curl/pull/114
>>>>>
>>>>> Thanks Nick!
>>>>
>>>> Quick followup. 4c134bc seems to function as intended - thanks! However, the second change (0426670) breaks the build on iOS, because SecCertificateCopyPublicKey is not available. I'm not aware of a good replacement, unfortunately. #ifdef'ing that check out works, of course.
>>>
>>> The only reason for using SecCertificateCopyPublicKey() is to check if
>>> the CA certificate was valid. Let me try some other
>>> SecCetificateCopy*() functions that are available on iPhone to see if
>>> they also catch invalid certificates.
>>
>> This PR fixes the issue:
>>
>> https://github.com/bagder/curl/pull/116
>>
>> Toby, can you test this compiles for iPhone? Thanks!
>
> Yes, that change builds for iOS, and also appears to work (no cert verification errors).

Thanks!

Attached a patch with this fix.

Cheers,
Vilmos

> - Toby
>
>>
>>> Vilmos
>>>
>>>> - Toby
>>>>
>>>>>
>>>>> Cheers,
>>>>> Vilmos
>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Nick Zitzmann
>>>>>> <http://www.chronosnet.com/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>>
>>>> -------------------------------------------------------------------
>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html