cURL / Mailing Lists / curl-library / Single Mail


Re: Client Certificate chains on OSX Secure Transport versions of curl and libcurl

From: Ray Satiro via curl-library <>
Date: Sat, 20 Feb 2016 00:47:25 -0500

On 2/18/2016 1:39 PM, John Broadhead wrote:
> Is there a way to make libcurl send intermediate certificates for client auth? I'm using curl 7.43.0 on OSX El Capitan.
> On Linux, I can run:
> curl -v --cert-type PEM --cert ./full_chain.pem --key-type PEM --key ./john.broadhead.key.pem ""
> In this case, "full_chain.pem" has both the client and intermediate certificates, it will send both in the TLS request. The server will authenticate the client certificate.
> But on Mac, I do:
> curl -v --cert-type P12 --cert ./john.broadhead.p12:pass ""
> Even though "john.broadhead.p12" contains certificates for both the client and the intermediate CA, the TLS request only sends the client certificate. Because the server doesn't have the intermediate CA certificate, verification fails.
> I have this same problem when trying to use the libcurl API as well.
> Is this a bug, oversight. Something too difficult to implement? Or is there some trick that I'm missing?

I don't use OS X but I think this probably has to do with the SSL
backend curl is using. In OS X the native backend Secure Transport may
not support doing that. I would check your curl -V for Linux and Mac and
compare. It's possible that whatever SSL backend curl is using in Linux
you may be able to use in OS X to work around this issue.
List admin:
Received on 2016-02-20