curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: self signed certificates evaluation fails on Windows and OSX using the system provided back end

From: Daniel Stenberg via curl-library <>
Date: Sun, 11 Apr 2021 00:05:00 +0200 (CEST)

On Wed, 7 Apr 2021, Vojtěch Bubník via curl-library wrote:

> since we switched libcurl to use the system provided back-end, self-signed
> certificates evaluation fails on Windows and OSX.

I'll let you in on a secret: Schannel and Secure Transport are weird beasts
and not at easy to get to do what you want as some of the other TLS
libraries... That's just my opinion of course.

> it looks as if there is no way to convince the OSX certificate back end to
> accept such a certificate without bundling it with a signed application. Is
> it true?

What happens if you add the CA cert to the normal CA bundle and use that?
Doesn't that work?

> Why is Darwin back-end refusing the self-signed certificate even if it has
> been marked as trusted in the keychain?

I don't know. Debug and find out?

> Shouldn't libcurl offer a switch to disable revocation check of self-signed
> certificates?

libcurl doesn't know "self-signed". but you can ask it to disable revocation

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features

Received on 2021-04-11