curl / Mailing Lists / curl-library / Single Mail

curl-library

AW: Libcurl Darwin SSL Errors

From: Hölzl, Dominik <Dominik.Hoelzl_at_fabasoft.com>
Date: Wed, 15 Nov 2017 08:34:44 +0000

>>
>>
>> On 11/13/2017 6:43 PM, Kelly Graus wrote:
>>
>> I’ve been using libcurl in an OS X app for several years, linking against the system provided dynamic library. Recently we wanted to add the ability to do a multipart form post, which requires a newer version of libcurl than is provided by Apple. So I downloaded the source and compiled it using the following options:
>>
>> ./configure --prefix=/usr/local/curl --with-darwinssl --enable-static --disable-ldap --disable-ldaps
>>
>> I then link against the static library that is built, and everything works great.
>>
>> However, when I build a release and run it on a different machine, I receive the following error whenever I try to download a file using HTTPS: "Problem with the SSL CA cert (path? access rights?).”
>>
>> I’ve tried in on two test machines, both of which are running slightly older versions of OS X than what I used to compile with (10.11 and 10.12, where I’m using 10.13). I don’t have another 10.13 machine right now to test if this is related to the OS version.
>>
>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for
>> relevant information.
>>
>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html
>>
>> Using curl_version_info, I get the following:
>>
>> libcurl 7.56.1
>> ssl: SecureTransport
>> host: x86_64-apple-darwin17.2.0
>> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp
>> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file, NTLM-WB, Unix Sockets
>>
>>
>> With verbose output enabled, I see the underlying error is "SSL: can't load CA certificate file /etc/ssl/cert.pem.” I’ve verified that this file is missing on the machines that don’t work. I’m looking into where those files are supposed to be from, but if anyone knows it would be greatly appreciated!
>>
>> That type is tiny i can barely read it. There is only one place it fails with that error in darwinssl.c
>>
>> https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671
>>
>> ... and that would only happen if cafile was set which would only happen if CURLOPT_CAINFO [1] was set in your program or configure set a default location but iirc darwinssl is supposed to use apple's built in certificate store by default.
>>
>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
>>
>> I’ve done a search through all our code, we never use CURLOPT_CAINFO. I was under the impression that specifying —with-darwinssl and —without-ssl would build curl to use only SecureTransport and the OS X keychain, so I’m also confused as to why it’s trying to load a certificate from the file system.
>>
>> You mention a configure option to set the default location - do you have any additional information about that? I’m not specifically setting it when building, but maybe it’s something I need to disable?
>>
>> There's a ca fallback option but it only works for openssl, gnutls and polarssl. Looking at the configure script it seems it will autodetect a certificate bundle location for any ssl though, unless I'm reading it wrong. Are you sure there's no /etc/ssl/cert.pem on the build machine? Try --without-ca-bundle --without-ca-path
>>
>> The build machine does have those files (which I’m assuming is why it worked). Those two configure options seems to have sorted everything out. Thanks for your help!
>>

Hello!

When using a current version of cURL with SecureTransport on macOS (newer than the version of cURL from the system) we explicitly need to set CURLOPT_CAINFO (and CURLOPT_PROXY_CAINFO) to NULL to prevent cURL to additionally check against a CA-Bundle in the file system by default (/etc/ssl/cert.pem). This CA-Bundle file is not synchronized with the key chain and therefore does not contain any manually imported root certificates, and with that the certificate validation fails.

Regards,
Dominik

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-15