cURL / Mailing Lists / curl-library / Single Mail

curl-library

[curl:bugs] #1404 Certificate verification fails using DarwinSSL (fwd)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 6 Aug 2014 14:07:01 +0200 (CEST)

Hi friends!

We could use some Mac devs to check this out... It suggests commit cd2cedf002a
broke functionality in the darwinssl backend.

See https://sourceforge.net/p/curl/bugs/1404/

-- 
  / daniel.haxx.se
---------- Forwarded message ----------
** [bugs:#1404] Certificate verification fails using DarwinSSL**
**Status:** open
**Labels:** DarwinSSL 
**Created:** Tue Aug 05, 2014 06:18 PM UTC by Tzu
**Last Updated:** Tue Aug 05, 2014 06:18 PM UTC
**Owner:** nobody
Curl release version 7.37.1 broke SSL negotiation using DarwinSSL. This worked fine on version 7.37.0. As suggested to me earlier on the irc channel, I have built curl from git repository to do a git bisect.
Environment details:
> OS: Mac OS X 10.9.4 (Darwin Kernel Version 13.3.0)
> clang: Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)
     ~/curl ❯❯❯ src/curl --version
     curl 7.38.0-DEV (x86_64-apple-darwin13.3.0) libcurl/7.38.0-DEV SecureTransport zlib/1.2.5    libidn/1.28 libssh2/1.4.3 librtmp/2.3
     Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
     Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz
     ~/curl ❯❯❯ src/curl -v https://somedomain.com/path
     * Hostname was NOT found in DNS cache
     *   Trying 54.197.232.19...
     * Connected to somedomain.com (54.197.232.19) port 443 (#0)
     * SSL: certificate verification failed (result: 5)
     * Closing connection 0
After doing a git bisect on the repository starting from 7.37.0 to 7.37.1,
> ~/curl git:bisect/good-c6d5f80d8b6ec795a3f88833d6f7c471fe8f2b4c:bisect ❯❯❯ git bisect good
> cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7 is the first bad commit
> commit cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7
> Author: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
> Date:   Thu Apr 17 07:03:05 2014 -0700
>    Add support for --cacert in DarwinSSL.
>    Security Framework on OS X makes it possible to supply extra anchor (CA)
>    certificates via the Certificate, Key, and Trust Services API. This
>    commit makes the '--cacert' option work using this API.
>    More information:
      > https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html
>    The HTTPS tests now pass on OS X except 314, which requires the '--crl' option to work.
> :040000 040000 ff22873e78147e1085203d748d4356bfcb07527e 11e40c9c116e53483e4fdac92b19e3761ae7fe47 M      lib

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-06