cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl importing certs into mac keystore?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 9 Nov 2015 09:55:39 +0100 (CET)

On Sun, 8 Nov 2015, Nick Zitzmann wrote:

> I checked this, and yes, as of OS X 10.11, importing a P12 identity using
> curl does cause it to get written to the Keychain. However...
>
> 1. We aren't doing this intentionally; the Security framework must be doing
> this when either importing the P12 file using SecPKCS12Import() or setting
> the identity in the context using SSLSetCertificate().
>
> 2. This isn't a security hole, since the user's Keychain is a protected
> area, and someone can't just come along and read the private key without
> authentication.
>
> Want me to document it?

I think ideally we should make it not do this, so that it will switch to
working like it works with the other backends.

If that is hard/inconvenient in some way we should document how it actually
behaves right now.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-11-09