cURL / Mailing Lists / curl-library / Single Mail


Re: curl importing certs into mac keystore?

From: Daniel Stenberg <>
Date: Mon, 9 Nov 2015 09:55:39 +0100 (CET)

On Sun, 8 Nov 2015, Nick Zitzmann wrote:

> I checked this, and yes, as of OS X 10.11, importing a P12 identity using
> curl does cause it to get written to the Keychain. However...
> 1. We aren't doing this intentionally; the Security framework must be doing
> this when either importing the P12 file using SecPKCS12Import() or setting
> the identity in the context using SSLSetCertificate().
> 2. This isn't a security hole, since the user's Keychain is a protected
> area, and someone can't just come along and read the private key without
> authentication.
> Want me to document it?

I think ideally we should make it not do this, so that it will switch to
working like it works with the other backends.

If that is hard/inconvenient in some way we should document how it actually
behaves right now.

List admin:
Received on 2015-11-09