Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: System certificate store support in macOS
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 22 Aug 2025 13:18:48 +0200 (CEST)
On Fri, 22 Aug 2025, Ryan Carsten Schmidt wrote:
>> As a short-term work around, it is possible to use the LibreSSL shipped by
>> Apple to get the feature, but I don't consider that a very good or reliable
>> solution.
>
> Why? What's bad or unreliable about it?
Two reasons really:
1. Because Apple doesn't seem to enable this easily, it seems shaky to depend
on and risks them changing things subtly that breaks a build.
2. The list of things LibreSSL doesn't do or doesn't support, that all the
other OpenSSL aleady do, seems to be growing almost daily these days.
Independent of it being the one Apple ships or not.
> I thought your justification for removing Secure Transport support was that
> support for native certificates via Apple's libressl was available.
The justification for removing Secure Transport is that it doesn't support TLS
1.3 and it never will.
> If not that, what should we be doing instead?
We should add support for using the native CA store on macOS to other
backends.
Date: Fri, 22 Aug 2025 13:18:48 +0200 (CEST)
On Fri, 22 Aug 2025, Ryan Carsten Schmidt wrote:
>> As a short-term work around, it is possible to use the LibreSSL shipped by
>> Apple to get the feature, but I don't consider that a very good or reliable
>> solution.
>
> Why? What's bad or unreliable about it?
Two reasons really:
1. Because Apple doesn't seem to enable this easily, it seems shaky to depend
on and risks them changing things subtly that breaks a build.
2. The list of things LibreSSL doesn't do or doesn't support, that all the
other OpenSSL aleady do, seems to be growing almost daily these days.
Independent of it being the one Apple ships or not.
> I thought your justification for removing Secure Transport support was that
> support for native certificates via Apple's libressl was available.
The justification for removing Secure Transport is that it doesn't support TLS
1.3 and it never will.
> If not that, what should we be doing instead?
We should add support for using the native CA store on macOS to other
backends.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-08-22