Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Connections fail on iOS with Secure Transport
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Andrew Patterson via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 2 Oct 2023 08:45:57 -0400
Thanks so much for the replies!
> Unfortunately, silver bullets are rare. Secure Transport does not support
> TLS
> 1.3 which also might trigger some issues for you going forward.
Apple themselves have given up on Secure Transport and moved on. It is only
> provided for legacy.
I appreciate this! So, don't use that. Easy enough, I'll just go back to
using OpenSSL. I thought Secure Transport might be the answer because of
this page:
https://curl.se/docs/install.html
It says in the 'Apple Platforms' section that the modern approach was to
use Secure Transport. Should that be updated?
That error is because CURLOPT_CAINFO was set to a certificate bundle
> that can't be loaded. [1][2] If you want to use the OS cert store
> instead you'll have to disable that option. From the doc, regarding
> secure transport, "If the option is not set, then curl uses the
> certificates in the system and user Keychain to verify the peer."
>
> [1]:
>
> https://github.com/curl/curl/blob/curl-8_3_0/lib/vtls/sectransp.c#L1991-L2000
> [2]: https://curl.se/libcurl/c/CURLOPT_CAINFO.html
That's odd, because I did not specify anything on iOS (in code or when
building libcurl); I do on Android, but I have no idea where the system
certificates are located on iOS. Do I disable that by explicitly setting
CURLOPT_CAINFO to the empty string? I assumed I'd have to find and specify
the iOS store manually but I couldn't find anything in searches for where
the certificates might be.
Sincerely,
Andrew Patterson
Date: Mon, 2 Oct 2023 08:45:57 -0400
Thanks so much for the replies!
> Unfortunately, silver bullets are rare. Secure Transport does not support
> TLS
> 1.3 which also might trigger some issues for you going forward.
Apple themselves have given up on Secure Transport and moved on. It is only
> provided for legacy.
I appreciate this! So, don't use that. Easy enough, I'll just go back to
using OpenSSL. I thought Secure Transport might be the answer because of
this page:
https://curl.se/docs/install.html
It says in the 'Apple Platforms' section that the modern approach was to
use Secure Transport. Should that be updated?
That error is because CURLOPT_CAINFO was set to a certificate bundle
> that can't be loaded. [1][2] If you want to use the OS cert store
> instead you'll have to disable that option. From the doc, regarding
> secure transport, "If the option is not set, then curl uses the
> certificates in the system and user Keychain to verify the peer."
>
> [1]:
>
> https://github.com/curl/curl/blob/curl-8_3_0/lib/vtls/sectransp.c#L1991-L2000
> [2]: https://curl.se/libcurl/c/CURLOPT_CAINFO.html
That's odd, because I did not specify anything on iOS (in code or when
building libcurl); I do on Android, but I have no idea where the system
certificates are located on iOS. Do I disable that by explicitly setting
CURLOPT_CAINFO to the empty string? I assumed I'd have to find and specify
the iOS store manually but I couldn't find anything in searches for where
the certificates might be.
Sincerely,
Andrew Patterson
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-10-02