cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: A darwinssl-related bug again

From: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
Date: Wed, 3 Sep 2014 12:41:37 +0200

On Wed, Sep 3, 2014 at 11:55 AM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
> On Wed, Sep 3, 2014 at 1:16 AM, Toby Peterson <toby_at_apple.com> wrote:
>> On Aug 29, 2014, at 03:55, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>
>>> On Fri, Aug 29, 2014 at 1:56 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:
>>>>
>>>> On Aug 28, 2014, at 6:02 PM, Vilmos Nebehaj <v.nebehaj_at_gmail.com> wrote:
>>>>
>>>>> The comment about wildcard certificates was a red herring it seems.
>>>>>
>>>>> The problem is that if the user via --cacert supplies a certificate
>>>>> bundle with multiple CA certificates in it, curl_darwinssl.c will only
>>>>> use the first one.
>>>>>
>>>>> For a fix, see https://github.com/ldx/curl/tree/darwinsslfix
>>>>>
>>>>> Can someone confirm this works? I tested it on OS X 10.9 with
>>>>> - the cacerts.pem bundle from the ticket,
>>>>> - a cert file containing only one cert and
>>>>> - a DER cert file.
>>>>
>>>> Great! I can confirm that this works with the PEM bundle in the bug report.
>>>>
>>>> Could you please clean up the compiler warnings, fix the code style issues (which you can see by building the project with --enable-debug specified), remove the "SSL: parsing CA certificate file" and "SSL: certificate verification succeeded" verbose log messages, and then submit a pull request?
>>>
>>> Here it is:
>>>
>>> https://github.com/bagder/curl/pull/114
>>>
>>> Thanks Nick!
>>
>> Quick followup. 4c134bc seems to function as intended - thanks! However, the second change (0426670) breaks the build on iOS, because SecCertificateCopyPublicKey is not available. I'm not aware of a good replacement, unfortunately. #ifdef'ing that check out works, of course.
>
> The only reason for using SecCertificateCopyPublicKey() is to check if
> the CA certificate was valid. Let me try some other
> SecCetificateCopy*() functions that are available on iPhone to see if
> they also catch invalid certificates.

This PR fixes the issue:

https://github.com/bagder/curl/pull/116

Toby, can you test this compiles for iPhone? Thanks!

> Vilmos
>
>> - Toby
>>
>>>
>>> Cheers,
>>> Vilmos
>>>
>>>> Thanks!
>>>>
>>>> Nick Zitzmann
>>>> <http://www.chronosnet.com/>
>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------
>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-03

This message: [ Message body ]
Next message: Saikrishna Bhagavatula: "Change curl easy options for ongoing transfer"
Previous message: Vilmos Nebehaj: "Re: A darwinssl-related bug again"
In reply to: Vilmos Nebehaj: "Re: A darwinssl-related bug again"
Next in thread: Toby Peterson: "Re: A darwinssl-related bug again"
Reply: Toby Peterson: "Re: A darwinssl-related bug again"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]