cURL / Mailing Lists / curl-library / Single Mail


Re: VerifyPeer in OpenSSL vs DarwinSSL

From: Daniel Stenberg <>
Date: Thu, 17 Mar 2016 00:02:17 +0100 (CET)

On Wed, 16 Mar 2016, JOHAN LANTZ wrote:

> And if I turn off verifypeer with this option:
> It works ok.
> I understand I need to provide a .crt file for this feature to work properly
> but I have one question:
> In iOS towards the same server I do not see this issue. Does this mean
> that DarwinSSL does this automagically or does it mean DarwinSSL does not
> have this feature?

During the TLS handshake, the client (curl) checks that server certificate is
signed by a trusted CA. That's the verification you can disable with

When curl verifies the server's certificate, it needs a "CA store" with
certificates for all the CAs that curl is told to trust. That store of certs
is handled differently depending on what TLS library libcurl is built to use.

If built libcurl to use OpenSSL, you need to tell it where the cert bundle is
for your transfers (you can use separate ones for each transfer if you like!).
It also gets a default path provided at build-time.

If libcurl is built to use DarwinSSL, it is told to instead use the Mac system
CA store. The libcurl will trust the same set of CAs that your operating
system is already trusting. Basically the set of organizations Apple has
deemed trustworthy for this.

List admin:
Received on 2016-03-17