cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem with CURLOPT_SSL_VERIFYHOST on OSX

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Sun, 29 Mar 2015 11:20:30 -0500

> On Mar 28, 2015, at 6:43 PM, Jeroen Ooms <jeroen.ooms_at_stat.ucla.edu> wrote:
>
> In my client I disabled all SSL verification using:
>
> curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 0L);
>
> However for some servers this actually results in an error. For
> example on OSX 10.10, this works:
>
>> curl https://media.mongodb.org/zips.json
>
> But this fails:
>
>> curl --insecure https://media.mongodb.org/zips.json
> curl: (35) SSL peer handshake failed, the server most likely requires
> a client certificate to connect

Can you file a bug with Apple, please? I think the problem is in the Security framework, not curl, because what's happening is --insecure sets the option "kSSLSessionOptionBreakOnServerAuth" in the SSLContextRef, but for some reason, the call to SSLHandshake() after the context is configured is returning errSSLPeerHandshakeFail on that server when that option is set. I've never seen this happen before. It certainly doesn't happen with "mainstream" sites like Google, Apple, etc.

Apple's bug reporter is here: <https://bugreport.apple.com/>

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-29