cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: A darwinssl-related bug again

From: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
Date: Thu, 28 Aug 2014 01:55:41 +0200

On Thu, Aug 28, 2014 at 1:29 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>
> On Aug 27, 2014, at 4:55 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> Heya,
>>
>> Bug #1417 was just filed, identifying a client cert failure on Mac OS X using the darwinssl backend: https://sourceforge.net/p/curl/bugs/1417/
>
> This is not a bug. The darwinssl back-end does not support client certificates in PEM or DER format, because the Security framework function I need to make this work is private API. Only client certificates in P12 format are supported, and only in OS X 10.7 or later, because the Security framework does have a public API for importing a client certificate and private key in PKCS#12 format.
>
>> There's also still bug #1404 remaining, which is the darwinssl backend failing to verify the server (wildcard?) cert. Several people have chimed in there with the same problem. https://sourceforge.net/p/curl/bugs/1404/
>
> It looks like it only happens with a custom certificate bundle. I'll take a look.

This seems to be a problem with SecTrustEvaluate() returning
kSecTrustResultRecoverableTrustFailure. Probably it's only a matter of
calling SecTrustGetTrustResult() and checking for a more exact failure
code. I'll look into it.

> Nick Zitzmann
> <http://www.chronosnet.com/>
>
>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-28