curl-users
Re: for wildcard certificates, different platforms behaving differently
From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Wed, 11 May 2016 17:54:23 -0500
I agree that this is an Apple bug, and it should be filed at <https://bugreport.apple.com/>.
Our use of the APIs does not do any manual trust evaluation, except in the unusual situation where a stand-alone certificate or bundle is provided, and then it goes through the same API as the general use case. In general use, libcurl calls the Security framework's SSLHandshake() function, which internally calls SecTrustEvaluate(), which evaluates the server certificate chain against the certificates in the Keychain.
In general, if Safari will connect to the site without rejecting the certificate, then curl will do the same, since they both use the Security framework for TLS. So if both Safari and curl will connect to the site, then the problem exists at a lower level than curl.
Nick Zitzmann
<http://www.chronosnet.com/>
Date: Wed, 11 May 2016 17:54:23 -0500
On May 11, 2016, at 4:46 PM, Daniel Stenberg <daniel@haxx.se> wrote:
Is this using Apple's version of curl? If so, I would suggest you report this as bug to Apple too (I think it could help to get tranction from their end).
It could even be considered a possible security problem.
I agree that this is an Apple bug, and it should be filed at <https://bugreport.apple.com/>.
This said, I can't yet rule out that the bug isn't somewhere in our use of the SecureTransport APIs...
Our use of the APIs does not do any manual trust evaluation, except in the unusual situation where a stand-alone certificate or bundle is provided, and then it goes through the same API as the general use case. In general use, libcurl calls the Security framework's SSLHandshake() function, which internally calls SecTrustEvaluate(), which evaluates the server certificate chain against the certificates in the Keychain.
In general, if Safari will connect to the site without rejecting the certificate, then curl will do the same, since they both use the Security framework for TLS. So if both Safari and curl will connect to the site, then the problem exists at a lower level than curl.
Nick Zitzmann
<http://www.chronosnet.com/>
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-12