Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Connections fail on iOS with Secure Transport
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Andrew Patterson via curl-library <curl-library_at_lists.haxx.se>
Date: Sun, 1 Oct 2023 12:56:22 -0400
Hello!
We've been using libcurl for years but for a long time we were running with
peer validation disabled. I know that's terrible, and it wasn't my
decision, but I'm attempting to remedy it now.
It took a couple of hours, but I figured out how to get SSL working
correctly with libcurl on Android, but I've been stymied on iOS. We were
linking it with OpenSSL (like on Android) but I couldn't figure out where
to find the certificates on iOS. I know I could upload the cacert.pem from
the libcurl website, but I'd like to get this working in a way that doesn't
require us to keep updating the certificates if I could.
To that end, one of my colleagues wondered why we weren't just using the
Secure Transport option -- and that seemed like a good question. I had no
problem building it (We use CMake, so I added -DCMAKE_USE_SECTRANSP=ON) but
I still can't connect when attempting a network connection with peer
verification enabled. I'm very confident that the secure transport code is
being utilized, because the error message (see below) comes
from lib/vtls/sectransp.c.
I hooked up the debug callback and got this (text only):
Trying [REDACTED]:443...
Debug: Connected to [REDACTED] ([REDACTED]) port 443 (#0)
Debug: ALPN, offering http/1.1
Debug: SSL: can't load CA certificate file /etc/ssl/cert.pem
Debug: Closing connection 0
Additional information: curlResult was 77.
Any idea what I'm doing wrong? I really thought switching to Secure
Transport would be the silver bullet so I'd appreciate any suggestions,
regardless of whether they're build step or code related!
Thanks!
Sincerely,
Andrew Patterson
Date: Sun, 1 Oct 2023 12:56:22 -0400
Hello!
We've been using libcurl for years but for a long time we were running with
peer validation disabled. I know that's terrible, and it wasn't my
decision, but I'm attempting to remedy it now.
It took a couple of hours, but I figured out how to get SSL working
correctly with libcurl on Android, but I've been stymied on iOS. We were
linking it with OpenSSL (like on Android) but I couldn't figure out where
to find the certificates on iOS. I know I could upload the cacert.pem from
the libcurl website, but I'd like to get this working in a way that doesn't
require us to keep updating the certificates if I could.
To that end, one of my colleagues wondered why we weren't just using the
Secure Transport option -- and that seemed like a good question. I had no
problem building it (We use CMake, so I added -DCMAKE_USE_SECTRANSP=ON) but
I still can't connect when attempting a network connection with peer
verification enabled. I'm very confident that the secure transport code is
being utilized, because the error message (see below) comes
from lib/vtls/sectransp.c.
I hooked up the debug callback and got this (text only):
Trying [REDACTED]:443...
Debug: Connected to [REDACTED] ([REDACTED]) port 443 (#0)
Debug: ALPN, offering http/1.1
Debug: SSL: can't load CA certificate file /etc/ssl/cert.pem
Debug: Closing connection 0
Additional information: curlResult was 77.
Any idea what I'm doing wrong? I really thought switching to Secure
Transport would be the silver bullet so I'd appreciate any suggestions,
regardless of whether they're build step or code related!
Thanks!
Sincerely,
Andrew Patterson
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-10-01