curl / Mailing Lists / curl-library / Single Mail


Re: Libcurl Darwin SSL Errors

From: Ray Satiro via curl-library <>
Date: Tue, 14 Nov 2017 16:07:39 -0500

On 11/14/2017 3:56 PM, Kelly Graus wrote:
>> On Nov 14, 2017, at 1:10 PM, Ray Satiro via curl-library
>> < <>> wrote:
>> On 11/13/2017 6:43 PM, Kelly Graus wrote:
>>> I’ve been using libcurl in an OS X app for several years, linking
>>> against the system provided dynamic library.  Recently we wanted to
>>> add the ability to do a multipart form post, which requires a newer
>>> version of libcurl than is provided by Apple.  So I downloaded the
>>> source and compiled it using the following options:
>>> ./configure --prefix=/usr/local/curl --with-darwinssl
>>> --enable-static --disable-ldap --disable-ldaps
>>> I then link against the static library that is built, and everything
>>> works great.
>>> However, when I build a release and run it on a different machine, I
>>> receive the following error whenever I try to download a file using
>>> HTTPS: "Problem with the SSL CA cert (path? access rights?).”
>>> I’ve tried in on two test machines, both of which are running
>>> slightly older versions of OS X than what I used to compile with
>>> (10.11 and 10.12, where I’m using 10.13).  I don’t have another
>>> 10.13 machine right now to test if this is related to the OS version.
>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for
>> relevant information.
>> [1]:
> Using curl_version_info, I get the following:
> libcurl 7.56.1
> ssl: SecureTransport
> host: x86_64-apple-darwin17.2.0
> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps,
> pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp
> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file,
> NTLM-WB, Unix Sockets
> With verbose output enabled, I see the underlying error is "SSL: can't
> load CA certificate file /etc/ssl/cert.pem.”  I’ve verified that this
> file is missing on the machines that don’t work.  I’m looking into
> where those files are supposed to be from, but if anyone knows it
> would be greatly appreciated!

That type is tiny i can barely read it. There is only one place it fails
with that error in darwinssl.c

.... and that would only happen if cafile was set which would only happen
if CURLOPT_CAINFO [1] was set in your program or configure set a default
location but iirc darwinssl is supposed to use apple's built in
certificate store by default.


Received on 2017-11-14