curl-library
Re: Libcurl Darwin SSL Errors
Date: Tue, 14 Nov 2017 17:47:20 -0500
On 11/14/2017 4:26 PM, Kelly Graus wrote:
>> On Nov 14, 2017, at 2:07 PM, Ray Satiro via curl-library
>> <curl-library_at_cool.haxx.se <mailto:curl-library_at_cool.haxx.se>> wrote:
>>
>> On 11/14/2017 3:56 PM, Kelly Graus wrote:
>>>
>>>
>>>> On Nov 14, 2017, at 1:10 PM, Ray Satiro via curl-library
>>>> <curl-library_at_cool.haxx.se <mailto:curl-library_at_cool.haxx.se>> wrote:
>>>>
>>>> On 11/13/2017 6:43 PM, Kelly Graus wrote:
>>>>> I’ve been using libcurl in an OS X app for several years, linking
>>>>> against the system provided dynamic library. Recently we wanted
>>>>> to add the ability to do a multipart form post, which requires a
>>>>> newer version of libcurl than is provided by Apple. So I
>>>>> downloaded the source and compiled it using the following options:
>>>>>
>>>>> ./configure --prefix=/usr/local/curl --with-darwinssl
>>>>> --enable-static --disable-ldap --disable-ldaps
>>>>>
>>>>> I then link against the static library that is built, and
>>>>> everything works great.
>>>>>
>>>>> However, when I build a release and run it on a different machine,
>>>>> I receive the following error whenever I try to download a file
>>>>> using HTTPS: "Problem with the SSL CA cert (path? access rights?).”
>>>>>
>>>>> I’ve tried in on two test machines, both of which are running
>>>>> slightly older versions of OS X than what I used to compile with
>>>>> (10.11 and 10.12, where I’m using 10.13). I don’t have another
>>>>> 10.13 machine right now to test if this is related to the OS version.
>>>>
>>>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for
>>>> relevant information.
>>>>
>>>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html
>>>
>>> Using curl_version_info, I get the following:
>>>
>>> libcurl 7.56.1
>>> ssl: SecureTransport
>>> host: x86_64-apple-darwin17.2.0
>>> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps,
>>> pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp
>>> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file,
>>> NTLM-WB, Unix Sockets
>>>
>>> With verbose output enabled, I see the underlying error is "SSL:
>>> can't load CA certificate file /etc/ssl/cert.pem.” I’ve verified
>>> that this file is missing on the machines that don’t work. I’m
>>> looking into where those files are supposed to be from, but if
>>> anyone knows it would be greatly appreciated!
>>
>> That type is tiny i can barely read it. There is only one place it
>> fails with that error in darwinssl.c
>>
>> https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671
>>
>> ... and that would only happen if cafile was set which would only
>> happen if CURLOPT_CAINFO [1] was set in your program or configure set
>> a default location but iirc darwinssl is supposed to use apple's
>> built in certificate store by default.
>>
>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
>>
>
> I’ve done a search through all our code, we never use CURLOPT_CAINFO.
> I was under the impression that specifying —with-darwinssl and
> —without-ssl would build curl to use only SecureTransport and the OS X
> keychain, so I’m also confused as to why it’s trying to load a
> certificate from the file system.
>
> You mention a configure option to set the default location - do you
> have any additional information about that? I’m not specifically
> setting it when building, but maybe it’s something I need to disable?
There's a ca fallback option but it only works for openssl, gnutls and
polarssl. Looking at the configure script it seems it will autodetect a
certificate bundle location for any ssl though, unless I'm reading it
wrong. Are you sure there's no /etc/ssl/cert.pem on the build machine?
Try --without-ca-bundle --without-ca-path
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-14