Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: A darwinssl-related bug again

From: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
Date: Wed, 3 Sep 2014 11:55:12 +0200

On Wed, Sep 3, 2014 at 1:16 AM, Toby Peterson <toby_at_apple.com> wrote:
> On Aug 29, 2014, at 03:55, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>
>> On Fri, Aug 29, 2014 at 1:56 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>>>
>>> On Aug 28, 2014, at 6:02 PM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>
>>>> The comment about wildcard certificates was a red herring it seems.
>>>>
>>>> The problem is that if the user via --cacert supplies a certificate
>>>> bundle with multiple CA certificates in it, curl_darwinssl.c will only
>>>> use the first one.
>>>>
>>>> For a fix, see https://github.com/ldx/curl/tree/darwinsslfix
>>>>
>>>> Can someone confirm this works? I tested it on OS X 10.9 with
>>>> - the cacerts.pem bundle from the ticket,
>>>> - a cert file containing only one cert and
>>>> - a DER cert file.
>>>
>>> Great! I can confirm that this works with the PEM bundle in the bug report.
>>>
>>> Could you please clean up the compiler warnings, fix the code style issues (which you can see by building the project with --enable-debug specified), remove the "SSL: parsing CA certificate file" and "SSL: certificate verification succeeded" verbose log messages, and then submit a pull request?
>>
>> Here it is:
>>
>> https://github.com/bagder/curl/pull/114
>>
>> Thanks Nick!
>
> Quick followup. 4c134bc seems to function as intended - thanks! However, the second change (0426670) breaks the build on iOS, because SecCertificateCopyPublicKey is not available. I'm not aware of a good replacement, unfortunately. #ifdef'ing that check out works, of course.

The only reason for using SecCertificateCopyPublicKey() is to check if
the CA certificate was valid. Let me try some other
SecCetificateCopy*() functions that are available on iPhone to see if
they also catch invalid certificates.

Vilmos

> - Toby
>
>>
>> Cheers,
>> Vilmos
>>
>>> Thanks!
>>>
>>> Nick Zitzmann
>>> <http://www.chronosnet.com/>
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-03