cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl with Darwin SSL and self-signed certificates

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Tue, 20 Aug 2013 13:17:01 -0600

On Aug 20, 2013, at 11:44 AM, Arun Victor <AVictor_at_flexerasoftware.com> wrote:

>> I did, obviously. It worked for me.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> How did you add the cert to the Keychain and to which Keychain did you add it to? I tried adding it (in pen format) to various Keychains via Keychain Access to no avail.

I visited the site in Safari, and marked the certificate as always trusted for SSL and X.509 basic policy. Safari then set the certificate in my user login keychain, and both it and curl accepted the certificate from then on out.

>> If this site is a Web site, one other thing you could try is visiting the site in Safari. You'll see a security panel indicating that the site's certificate is not trusted. Check the >"always trust" check box and proceed. Safari ought to save the certificate in the keychain and set the permissions correctly.
>
> I expected this behavior too, but Safari simply keeps saying "Safari can't establish a secure connection to the server xxx"
> After adding the vert to the Keychain(s), I figured I should be able to access the site via Safari, and thus communicate with it via libcurl (so Safari access was my litmus test).

If you connected to it in Safari, and told it to always trust the certificate and proceed, and it still did not trust the certificate after a quit and relaunch, then I think something is wrong with your user keychain, since it works as expected for me. Try it on a different user account.

> I was able to access the site via Firefox though (from the same Mac); as expected, the security warning showed up in Firefox and I could get to the site after accepting the cert. I could then see the cert in FF's list, but not in any of the Keychains... Guessing FF maintains its own store and doesn't use Keychains?

Correct. Firefox uses NSS for TLS, and NSS has its own security database that is separate from Apple's.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-20

This message: [ Message body ]
Next message: Steve Holme: "RE: IMAP not working reliably on Win32/VS2012"
Previous message: Jerry Blakley: "Re: SSL certificates and increasing memory usage"
In reply to: Arun Victor: "RE: libcurl with Darwin SSL and self-signed certificates"
Next in thread: Arun Victor: "RE: libcurl with Darwin SSL and self-signed certificates"
Reply: Arun Victor: "RE: libcurl with Darwin SSL and self-signed certificates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]