Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Connections fail on iOS with Secure Transport
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Andrew Patterson via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 3 Oct 2023 11:33:54 -0400
> > That's odd, because I did not specify anything on iOS (in code or when
> > building libcurl); I do on Android, but I have no idea where the
system
> > certificates are located on iOS. Do I disable that by explicitly
setting
> > CURLOPT_CAINFO to the empty string?
>
> Yes, try setting it to NULL.
So I tried this like so:
curl_easy_setopt(curl_handle, CURLOPT_CAPATH, nullptr);
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, nullptr);
but I still get this:
Trying [redacted]:443...
Connected to [redacted] ([redacted]) port 443 (#0)
ALPN, offering http/1.1
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
Closing connection 0
I tried setting it to the empty string in case that was what you meant:
curl_easy_setopt(curl_handle, CURLOPT_CAPATH, "");
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "");
But that results in this:
Debug: Trying [redacted]:443...
Debug: Connected to [redacted] ([redacted]) port 443 (#0)
Debug: ALPN, offering http/1.1
Debug: error setting certificate verify locations: CAfile: CApath:
Debug: Closing connection 0
So I assume you really meant NULL! Unfortunately, setting them both to NULL
doesn't work, though at least it looks more like it's trying. The error I
get in that case -- "self signed certificate in certificate chain" is the
same error I was getting on Android before I was able to point it at the
right location so I assume that means libcurl isn't finding the iOS
certificates? Maybe it's falling back on build defaults (e.g. /etc/ssl/)?
I appreciate the help so far, I'm willing to try any further suggestions!
Sincerely,
Andrew Patterson
Date: Tue, 3 Oct 2023 11:33:54 -0400
> > That's odd, because I did not specify anything on iOS (in code or when
> > building libcurl); I do on Android, but I have no idea where the
system
> > certificates are located on iOS. Do I disable that by explicitly
setting
> > CURLOPT_CAINFO to the empty string?
>
> Yes, try setting it to NULL.
So I tried this like so:
curl_easy_setopt(curl_handle, CURLOPT_CAPATH, nullptr);
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, nullptr);
but I still get this:
Trying [redacted]:443...
Connected to [redacted] ([redacted]) port 443 (#0)
ALPN, offering http/1.1
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
Closing connection 0
I tried setting it to the empty string in case that was what you meant:
curl_easy_setopt(curl_handle, CURLOPT_CAPATH, "");
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "");
But that results in this:
Debug: Trying [redacted]:443...
Debug: Connected to [redacted] ([redacted]) port 443 (#0)
Debug: ALPN, offering http/1.1
Debug: error setting certificate verify locations: CAfile: CApath:
Debug: Closing connection 0
So I assume you really meant NULL! Unfortunately, setting them both to NULL
doesn't work, though at least it looks more like it's trying. The error I
get in that case -- "self signed certificate in certificate chain" is the
same error I was getting on Android before I was able to point it at the
right location so I assume that means libcurl isn't finding the iOS
certificates? Maybe it's falling back on build defaults (e.g. /etc/ssl/)?
I appreciate the help so far, I'm willing to try any further suggestions!
Sincerely,
Andrew Patterson
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-10-03