cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] Handle --cacert option on Mac OS X with darwinssl

From: Vilmos Nebehaj <>
Date: Wed, 23 Apr 2014 12:12:45 +0200

On Wed, Apr 23, 2014 at 8:30 AM, Daniel Stenberg <> wrote:
> On Tue, 22 Apr 2014, Nick Zitzmann wrote:
>> I've skimmed over it, and I'm reluctant to include it in the next point
>> release, mainly because this is a huge change to secure code used by
>> millions of people[1], and we've already learned in the past two months how
>> a single line in supposedly secure code can cause a huge security hole (see
>> "goto fail" and Heartbleed).

No offense, but what will change if we just sit and wait? This is a
feature that is missing from cURL currently. There are also millions
of people using self-signed certificates. For them the only option
right now if they want to use cURL with Secure Transport is to
*disable* certificate verification. I'm not sure that's a good

>> We ought to consider this for a future release, though. Thanks for the
>> patch.
> Any suggestions on how we'd proceed to merge it? It is right now 231 new
> lines of code.
> We should consider what test cases we have that would run this code, or
> rather what tests we can and should add to increase our chances of detecting
> problems.

Test cases 310, 311, 312 and 313 already test --cacert. 313 still
fails since that requires --crlfile to work too (not implemented with
DarwinSSL - I plan to look into it later). These tests use an
stunnel-wrapped http server, so it means we test cURL+Secure Transport
against stunnel+OpenSSL using a PEM CA certificate - seems like a good
integration test. I can add a few more test cases that do the same
using the DER CA certificate (the patch makes sure both PEM and DER
certificates are handled).

> Also, once we merge it people (on Mac at least) can use clang-analyzer etc
> to staticly analyze the code for possible flaws.

Thanks, good idea. This is something I have not done, but I can check
what scan-build says after applying the patch.

>> it's a core component of OS X starting in Mavericks
> I recognize that and I think it is awesome. But we also can't make that fact
> scare us away from doing/adding good stuff. Plus the fact that Apple is in
> fact deciding for themselves what to do with their OS and they're more than
> welcome to come forward and help us test and improve things!

Is the system cURL compiled with Secure Transport support on
Mavericks? I only have a 10.8 box, on it it's still compiled with

> --
> /
> -------------------------------------------------------------------
> List admin:
> Etiquette:
List admin:
Received on 2014-04-23