Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Curl ES 60: Invalid certificate chain on MacOS 10.10.3 (Yosemite)

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 08 May 2015 13:35:47 -0400

On 5/8/2015 11:28 AM, Volker Schmid wrote:
> Hello,
>
> not sure if this answer is correctly assigned. Sorry.
>
>> Hi,
>> This snippet from CURLOPT_CAPATH doc might be relevant:
>>
>> "If libcurl is built against OpenSSL, the certificate directory must be
>> prepared using the openssl c_rehash utility. "
>>
>> HTH,
>> -Vadim
>
> I don't think that curl on MacOS (Yosemite) is compiled against
> OpenSSL. This is what otool is saying on my system:
>
> otool -L /usr/bin/curl
> /usr/bin/curl: /usr/lib/libcurl.4.dylib (compatibility version 7.0.0,
> current version 8.0.0)
> /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
> 1.2.5)
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
> version 1197.1.1)
>
> otool -L /usr/lib/libcurl.4.dylib
> /usr/lib/libcurl.4.dylib: /usr/lib/libcurl.4.dylib (compatibility
> version 7.0.0, current version 8.0.0)
> /System/Library/Frameworks/Security.framework/Versions/A/Security
> (compatibility version 1.0.0, current version 55471.14.7)
> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
> (compatibility version 150.0.0, current version 855.17.0)
> /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
> (compatibility version 1.0.0, current version 2.4.0)
> /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos
> (compatibility version 5.0.0, current version 6.0.0)
> /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
> 1.2.5)
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
> version 1197.1.1)
>
> It works on three systems, on one it fails. I believe that c_rehash
> was not used on the three systems before.
>

Apple's security framework relies on an OS central database of
certificates from what I've read [1]. Can you post a way to reproduce?
Maybe someone else on the list that uses Mac can try the website to see
if they get the same result. Why don't you post curl -V, and the curl
verbose output here as well.

[1]: http://curl.haxx.se/docs/ssl-compared.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-05-08