Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Connections fail on iOS with Secure Transport
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 2 Oct 2023 03:17:07 -0400
On 10/1/2023 12:56 PM, Andrew Patterson via curl-library wrote:
> We've been using libcurl for years but for a long time we were running
> with peer validation disabled. I know that's terrible, and it wasn't
> my decision, but I'm attempting to remedy it now.
>
> It took a couple of hours, but I figured out how to get SSL working
> correctly with libcurl on Android, but I've been stymied on iOS. We
> were linking it with OpenSSL (like on Android) but I couldn't figure
> out where to find the certificates on iOS. I know I could upload the
> cacert.pem from the libcurl website, but I'd like to get this working
> in a way that doesn't require us to keep updating the certificates if
> I could.
>
> To that end, one of my colleagues wondered why we weren't just using
> the Secure Transport option -- and that seemed like a good question. I
> had no problem building it (We use CMake, so I
> added -DCMAKE_USE_SECTRANSP=ON) but I still can't connect when
> attempting a network connection with peer verification enabled. I'm
> very confident that the secure transport code is being utilized,
> because the error message (see below) comes from lib/vtls/sectransp.c.
>
> I hooked up the debug callback and got this (text only):
>
> Trying [REDACTED]:443...
> Debug: Connected to [REDACTED] ([REDACTED]) port 443 (#0)
> Debug: ALPN, offering http/1.1
> Debug: SSL: can't load CA certificate file /etc/ssl/cert.pem
> Debug: Closing connection 0
>
> Additional information: curlResult was 77.
>
> Any idea what I'm doing wrong? I really thought switching to Secure
> Transport would be the silver bullet so I'd appreciate any
> suggestions, regardless of whether they're build step or code related!
That error is because CURLOPT_CAINFO was set to a certificate bundle
that can't be loaded. [1][2] If you want to use the OS cert store
instead you'll have to disable that option. From the doc, regarding
secure transport, "If the option is not set, then curl uses the
certificates in the system and user Keychain to verify the peer."
[1]:
https://github.com/curl/curl/blob/curl-8_3_0/lib/vtls/sectransp.c#L1991-L2000
[2]: https://curl.se/libcurl/c/CURLOPT_CAINFO.html
Date: Mon, 2 Oct 2023 03:17:07 -0400
On 10/1/2023 12:56 PM, Andrew Patterson via curl-library wrote:
> We've been using libcurl for years but for a long time we were running
> with peer validation disabled. I know that's terrible, and it wasn't
> my decision, but I'm attempting to remedy it now.
>
> It took a couple of hours, but I figured out how to get SSL working
> correctly with libcurl on Android, but I've been stymied on iOS. We
> were linking it with OpenSSL (like on Android) but I couldn't figure
> out where to find the certificates on iOS. I know I could upload the
> cacert.pem from the libcurl website, but I'd like to get this working
> in a way that doesn't require us to keep updating the certificates if
> I could.
>
> To that end, one of my colleagues wondered why we weren't just using
> the Secure Transport option -- and that seemed like a good question. I
> had no problem building it (We use CMake, so I
> added -DCMAKE_USE_SECTRANSP=ON) but I still can't connect when
> attempting a network connection with peer verification enabled. I'm
> very confident that the secure transport code is being utilized,
> because the error message (see below) comes from lib/vtls/sectransp.c.
>
> I hooked up the debug callback and got this (text only):
>
> Trying [REDACTED]:443...
> Debug: Connected to [REDACTED] ([REDACTED]) port 443 (#0)
> Debug: ALPN, offering http/1.1
> Debug: SSL: can't load CA certificate file /etc/ssl/cert.pem
> Debug: Closing connection 0
>
> Additional information: curlResult was 77.
>
> Any idea what I'm doing wrong? I really thought switching to Secure
> Transport would be the silver bullet so I'd appreciate any
> suggestions, regardless of whether they're build step or code related!
That error is because CURLOPT_CAINFO was set to a certificate bundle
that can't be loaded. [1][2] If you want to use the OS cert store
instead you'll have to disable that option. From the doc, regarding
secure transport, "If the option is not set, then curl uses the
certificates in the system and user Keychain to verify the peer."
[1]:
https://github.com/curl/curl/blob/curl-8_3_0/lib/vtls/sectransp.c#L1991-L2000
[2]: https://curl.se/libcurl/c/CURLOPT_CAINFO.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-10-02