curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Libcurl Darwin SSL Errors

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 14 Nov 2017 16:07:39 -0500

On 11/14/2017 3:56 PM, Kelly Graus wrote:
>
>
>> On Nov 14, 2017, at 1:10 PM, Ray Satiro via curl-library
>> <curl-library_at_cool.haxx.se <mailto:curl-library_at_cool.haxx.se>> wrote:
>>
>> On 11/13/2017 6:43 PM, Kelly Graus wrote:
>>> I’ve been using libcurl in an OS X app for several years, linking
>>> against the system provided dynamic library.  Recently we wanted to
>>> add the ability to do a multipart form post, which requires a newer
>>> version of libcurl than is provided by Apple.  So I downloaded the
>>> source and compiled it using the following options:
>>>
>>> ./configure --prefix=/usr/local/curl --with-darwinssl
>>> --enable-static --disable-ldap --disable-ldaps
>>>
>>> I then link against the static library that is built, and everything
>>> works great.
>>>
>>> However, when I build a release and run it on a different machine, I
>>> receive the following error whenever I try to download a file using
>>> HTTPS: "Problem with the SSL CA cert (path? access rights?).”
>>>
>>> I’ve tried in on two test machines, both of which are running
>>> slightly older versions of OS X than what I used to compile with
>>> (10.11 and 10.12, where I’m using 10.13).  I don’t have another
>>> 10.13 machine right now to test if this is related to the OS version.
>>
>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for
>> relevant information.
>>
>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html
>
> Using curl_version_info, I get the following:
>
> libcurl 7.56.1
> ssl: SecureTransport
> host: x86_64-apple-darwin17.2.0
> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps,
> pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp
> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file,
> NTLM-WB, Unix Sockets
>
> With verbose output enabled, I see the underlying error is "SSL: can't
> load CA certificate file /etc/ssl/cert.pem.”  I’ve verified that this
> file is missing on the machines that don’t work.  I’m looking into
> where those files are supposed to be from, but if anyone knows it
> would be greatly appreciated!

That type is tiny i can barely read it. There is only one place it fails
with that error in darwinssl.c

https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671

.... and that would only happen if cafile was set which would only happen
if CURLOPT_CAINFO [1] was set in your program or configure set a default
location but iirc darwinssl is supposed to use apple's built in
certificate store by default.

[1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-14