Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: self signed certificates evaluation fails on Windows and OSX using the system provided back end
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 11 Apr 2021 00:05:00 +0200 (CEST)
On Wed, 7 Apr 2021, Vojtěch Bubník via curl-library wrote:
> since we switched libcurl to use the system provided back-end, self-signed
> certificates evaluation fails on Windows and OSX.
I'll let you in on a secret: Schannel and Secure Transport are weird beasts
and not at easy to get to do what you want as some of the other TLS
libraries... That's just my opinion of course.
> it looks as if there is no way to convince the OSX certificate back end to
> accept such a certificate without bundling it with a signed application. Is
> it true?
What happens if you add the CA cert to the normal CA bundle and use that?
Doesn't that work?
> Why is Darwin back-end refusing the self-signed certificate even if it has
> been marked as trusted in the keychain?
I don't know. Debug and find out?
> Shouldn't libcurl offer a switch to disable revocation check of self-signed
> certificates?
libcurl doesn't know "self-signed". but you can ask it to disable revocation
checks with CURLOPT_SSL_OPTIONS's CURLSSLOPT_NO_REVOKE bit.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-11
Date: Sun, 11 Apr 2021 00:05:00 +0200 (CEST)
On Wed, 7 Apr 2021, Vojtěch Bubník via curl-library wrote:
> since we switched libcurl to use the system provided back-end, self-signed
> certificates evaluation fails on Windows and OSX.
I'll let you in on a secret: Schannel and Secure Transport are weird beasts
and not at easy to get to do what you want as some of the other TLS
libraries... That's just my opinion of course.
> it looks as if there is no way to convince the OSX certificate back end to
> accept such a certificate without bundling it with a signed application. Is
> it true?
What happens if you add the CA cert to the normal CA bundle and use that?
Doesn't that work?
> Why is Darwin back-end refusing the self-signed certificate even if it has
> been marked as trusted in the keychain?
I don't know. Debug and find out?
> Shouldn't libcurl offer a switch to disable revocation check of self-signed
> certificates?
libcurl doesn't know "self-signed". but you can ask it to disable revocation
checks with CURLOPT_SSL_OPTIONS's CURLSSLOPT_NO_REVOKE bit.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-11