cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Handle --cacert option on Mac OS X with darwinssl

From: Toby Peterson <toby_at_apple.com>
Date: Wed, 07 May 2014 15:10:17 -0700

On Apr 22, 2014, at 23:30, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Tue, 22 Apr 2014, Nick Zitzmann wrote:
>
>> I've skimmed over it, and I'm reluctant to include it in the next point release, mainly because this is a huge change to secure code used by millions of people[1], and we've already learned in the past two months how a single line in supposedly secure code can cause a huge security hole (see "goto fail" and Heartbleed).
>>
>> We ought to consider this for a future release, though. Thanks for the patch.
>
> Any suggestions on how we'd proceed to merge it? It is right now 231 new lines of code.
>
> We should consider what test cases we have that would run this code, or rather what tests we can and should add to increase our chances of detecting problems.
>
> Also, once we merge it people (on Mac at least) can use clang-analyzer etc to staticly analyze the code for possible flaws.
>
>> it's a core component of OS X starting in Mavericks
>
> I recognize that and I think it is awesome. But we also can't make that fact scare us away from doing/adding good stuff. Plus the fact that Apple is in fact deciding for themselves what to do with their OS and they're more than welcome to come forward and help us test and improve things!

Indeed - curl is widely used around the world; I certainly wouldn't shy away from implementing new things just because Apple is using it too. curl has been an extremely reliable piece of software over the years, and I have no doubt that will continue to be the case.

The patch looks reasonable to me. Given that it is functionality that currently doesn't work at all, I don't see the harm - as long as it isn't falsely verifying certificates. I'm happy to test changes like this, time permitting.

- Toby (curl maintainer at Apple)

>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-05-08