curl-library
Re: Libcurl Darwin SSL Errors
Date: Tue, 14 Nov 2017 14:26:19 -0700
> On Nov 14, 2017, at 2:07 PM, Ray Satiro via curl-library <curl-library_at_cool.haxx.se> wrote:
>
> On 11/14/2017 3:56 PM, Kelly Graus wrote:
>>
>>
>>> On Nov 14, 2017, at 1:10 PM, Ray Satiro via curl-library <curl-library_at_cool.haxx.se <mailto:curl-library_at_cool.haxx.se>> wrote:
>>>
>>> On 11/13/2017 6:43 PM, Kelly Graus wrote:
>>>> I’ve been using libcurl in an OS X app for several years, linking against the system provided dynamic library. Recently we wanted to add the ability to do a multipart form post, which requires a newer version of libcurl than is provided by Apple. So I downloaded the source and compiled it using the following options:
>>>>
>>>> ./configure --prefix=/usr/local/curl --with-darwinssl --enable-static --disable-ldap --disable-ldaps
>>>>
>>>> I then link against the static library that is built, and everything works great.
>>>>
>>>> However, when I build a release and run it on a different machine, I receive the following error whenever I try to download a file using HTTPS: "Problem with the SSL CA cert (path? access rights?).”
>>>>
>>>> I’ve tried in on two test machines, both of which are running slightly older versions of OS X than what I used to compile with (10.11 and 10.12, where I’m using 10.13). I don’t have another 10.13 machine right now to test if this is related to the OS version.
>>>
>>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for
>>> relevant information.
>>>
>>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html <https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html>
>>
>> Using curl_version_info, I get the following:
>>
>> libcurl 7.56.1
>> ssl: SecureTransport
>> host: x86_64-apple-darwin17.2.0
>> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp
>> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file, NTLM-WB, Unix Sockets
>>
>> With verbose output enabled, I see the underlying error is "SSL: can't load CA certificate file /etc/ssl/cert.pem.” I’ve verified that this file is missing on the machines that don’t work. I’m looking into where those files are supposed to be from, but if anyone knows it would be greatly appreciated!
>
> That type is tiny i can barely read it. There is only one place it fails with that error in darwinssl.c
>
> https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671 <https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671>
>
> ... and that would only happen if cafile was set which would only happen if CURLOPT_CAINFO [1] was set in your program or configure set a default location but iirc darwinssl is supposed to use apple's built in certificate store by default.
>
> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html <https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html>
>
I’ve done a search through all our code, we never use CURLOPT_CAINFO. I was under the impression that specifying —with-darwinssl and —without-ssl would build curl to use only SecureTransport and the OS X keychain, so I’m also confused as to why it’s trying to load a certificate from the file system.
You mention a configure option to set the default location - do you have any additional information about that? I’m not specifically setting it when building, but maybe it’s something I need to disable?
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-14