Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: System certificate store support in macOS
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 22 Aug 2025 08:37:32 +0200 (CEST)
On Thu, 21 Aug 2025, Jeff Mears via curl-library wrote:
> With the removal of the SecureTransport backend in libcurl 8.15.0, what is
> the path forward for using libcurl on macOS such that certificates in the
> system certificate store are accepted automatically? Is there some way to
> do that with the OpenSSL backend?
The idea is that other backends should support CURLSSLOPT_NATIVE_CA for macOS.
The flag for CURLOPT_SSL_OPTIONS that tells libcurl to use the native CA
store.
Right now however, only wolfSSL supports that.
In June, Ridley Combs submitted https://github.com/curl/curl/pull/17525 that
does this, but also a lot more and in discussions we concluded that we
primarly would like the CURLSSLOPT_NATIVE_CA part and maybe not so much the
rest. The work on that seems to have gone stale since then. Maybe someone can
extract the necessary pieces from there and carry on?
As a short-term work around, it is possible to use the LibreSSL shipped by
Apple to get the feature, but I don't consider that a very good or reliable
solution.
Date: Fri, 22 Aug 2025 08:37:32 +0200 (CEST)
On Thu, 21 Aug 2025, Jeff Mears via curl-library wrote:
> With the removal of the SecureTransport backend in libcurl 8.15.0, what is
> the path forward for using libcurl on macOS such that certificates in the
> system certificate store are accepted automatically? Is there some way to
> do that with the OpenSSL backend?
The idea is that other backends should support CURLSSLOPT_NATIVE_CA for macOS.
The flag for CURLOPT_SSL_OPTIONS that tells libcurl to use the native CA
store.
Right now however, only wolfSSL supports that.
In June, Ridley Combs submitted https://github.com/curl/curl/pull/17525 that
does this, but also a lot more and in discussions we concluded that we
primarly would like the CURLSSLOPT_NATIVE_CA part and maybe not so much the
rest. The work on that seems to have gone stale since then. Maybe someone can
extract the necessary pieces from there and carry on?
As a short-term work around, it is possible to use the LibreSSL shipped by
Apple to get the feature, but I don't consider that a very good or reliable
solution.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-08-22