curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Connections fail on iOS with Secure Transport

From: Andrew Patterson via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 3 Oct 2023 11:33:54 -0400

> > That's odd, because I did not specify anything on iOS (in code or when
> > building libcurl); I do on Android, but I have no idea where the
system
> > certificates are located on iOS. Do I disable that by explicitly
setting
> > CURLOPT_CAINFO to the empty string?
>
> Yes, try setting it to NULL.

So I tried this like so:

curl_easy_setopt(curl_handle, CURLOPT_CAPATH, nullptr);
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, nullptr);

but I still get this:

  Trying [redacted]:443...
Connected to [redacted] ([redacted]) port 443 (#0)
ALPN, offering http/1.1
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
Closing connection 0

I tried setting it to the empty string in case that was what you meant:

curl_easy_setopt(curl_handle, CURLOPT_CAPATH, "");
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "");

But that results in this:

Debug: Trying [redacted]:443...
Debug: Connected to [redacted] ([redacted]) port 443 (#0)
Debug: ALPN, offering http/1.1
Debug: error setting certificate verify locations: CAfile: CApath:
Debug: Closing connection 0

So I assume you really meant NULL! Unfortunately, setting them both to NULL
doesn't work, though at least it looks more like it's trying. The error I
get in that case -- "self signed certificate in certificate chain" is the
same error I was getting on Android before I was able to point it at the
right location so I assume that means libcurl isn't finding the iOS
certificates? Maybe it's falling back on build defaults (e.g. /etc/ssl/)?

I appreciate the help so far, I'm willing to try any further suggestions!

Sincerely,
Andrew Patterson


-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-10-03