cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1404 Certificate verification fails using DarwinSSL

From: Tzu <tzudot_at_users.sf.net>
Date: Mon, 11 Aug 2014 17:17:58 +0000

On the latest git HEAD, ssl negotiation is working fine with https://www.apple.com and few others but fails with many other services such as heroku.com, duckduckgo.com, github.com, twilio.com or encrypted.google.com.

    * cb1f186 (HEAD, origin/master, origin/HEAD, master) docs/SSLCERTS: update the section about NSS database

I have built curl from source with git HEAD at cb1f186.

>~/D/G/curl git:master ❯❯❯ src/curl -v https://encrypted.google.com
>* Rebuilt URL to: https://encrypted.google.com/
>* Hostname was NOT found in DNS cache
>* Trying 173.194.39.14...
>* Trying 2a00:1450:4005:809::1004...
>* Immediate connect fail for 2a00:1450:4005:809::1004: No route to host
>* Connected to encrypted.google.com (173.194.39.14) port 443 (#0)
>* SSL: certificate verification failed (result: 5)
>* Closing connection 0
>curl: (51) SSL: certificate verification failed (result: 5)

---
** [bugs:#1404] Certificate verification fails using DarwinSSL**
**Status:** pending-needsinfo
**Labels:** DarwinSSL 
**Created:** Tue Aug 05, 2014 06:18 PM UTC by Tzu
**Last Updated:** Mon Aug 11, 2014 06:52 AM UTC
**Owner:** nobody
Curl release version 7.37.1 broke SSL negotiation using DarwinSSL. This worked fine on version 7.37.0. As suggested to me earlier on the irc channel, I have built curl from git repository to do a git bisect.

Environment details:
> OS: Mac OS X 10.9.4 (Darwin Kernel Version 13.3.0)
> clang: Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)

    ~/curl ❯❯❯ src/curl --version 
    curl 7.38.0-DEV (x86_64-apple-darwin13.3.0) libcurl/7.38.0-DEV SecureTransport zlib/1.2.5    libidn/1.28 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
    Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

    ~/curl ❯❯❯ src/curl -v https://somedomain.com/path

    * Hostname was NOT found in DNS cache
    *   Trying 54.197.232.19...
    * Connected to somedomain.com (54.197.232.19) port 443 (#0)
    * SSL: certificate verification failed (result: 5)
    * Closing connection 0

After doing a git bisect on the repository starting from 7.37.0 to 7.37.1,

> ~/curl git:bisect/good-c6d5f80d8b6ec795a3f88833d6f7c471fe8f2b4c:bisect ❯❯❯ git bisect good
> cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7 is the first bad commit
> commit cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7
> Author: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
> Date:   Thu Apr 17 07:03:05 2014 -0700

>    Add support for --cacert in DarwinSSL.

>    Security Framework on OS X makes it possible to supply extra anchor (CA)
>    certificates via the Certificate, Key, and Trust Services API. This
>    commit makes the '--cacert' option work using this API.

>    More information:
     > https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html


>    The HTTPS tests now pass on OS X except 314, which requires the '--crl' option to work.

> :040000 040000 ff22873e78147e1085203d748d4356bfcb07527e 11e40c9c116e53483e4fdac92b19e3761ae7fe47 M      lib
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-08-11

These mail archives are generated by hypermail.