cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1404 Certificate verification fails using DarwinSSL

From: demoboy <demoboy_at_users.sf.net>
Date: Tue, 19 Aug 2014 17:10:58 +0000

I am expericnencing the same issue however, I get it only when I attempt to verify the cert using --cacert option

output of curl --version is;
    curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz


Running the following command works:
    curl -v https://accounts.google.com/o/oauth2/token

    * Hostname was NOT found in DNS cache
    * Trying 74.125.28.84...
    * Connected to accounts.google.com (74.125.28.84) port 443 (#0)
    * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    * Server certificate: accounts.google.com
    * Server certificate: Google Internet Authority G2
    * Server certificate: GeoTrust Global CA
    * Server certificate: Equifax Secure Certificate Authority
> GET /o/oauth2/token HTTP/1.1
> User-Agent: curl/7.37.1
> Host: accounts.google.com
> Accept: */*
    TRIMED FOR CONTENT

However running the following command does not:
    curl -v --cacert ./cacerts.pem https://accounts.google.com/o/oauth2/token

    * Hostname was NOT found in DNS cache
    * Trying 74.125.28.84...
    * Connected to accounts.google.com (74.125.28.84) port 443 (#0)
    * SSL: certificate verification failed (result: 5)
    * Closing connection 0
    curl: (51) SSL: certificate verification failed (result: 5)

I have attached the cert that I am attempting to verify against. I have attempted this command with 7.37.0 and it works just fine...

Attachment: cacerts.pem (134.9 kB; application/x-x509-ca-cert)

---
** [bugs:#1404] Certificate verification fails using DarwinSSL**
**Status:** pending-needsinfo
**Labels:** DarwinSSL 
**Created:** Tue Aug 05, 2014 06:18 PM UTC by Tzu
**Last Updated:** Mon Aug 18, 2014 04:41 PM UTC
**Owner:** nobody
Curl release version 7.37.1 broke SSL negotiation using DarwinSSL. This worked fine on version 7.37.0. As suggested to me earlier on the irc channel, I have built curl from git repository to do a git bisect.

Environment details:
> OS: Mac OS X 10.9.4 (Darwin Kernel Version 13.3.0)
> clang: Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)

    ~/curl ❯❯❯ src/curl --version 
    curl 7.38.0-DEV (x86_64-apple-darwin13.3.0) libcurl/7.38.0-DEV SecureTransport zlib/1.2.5    libidn/1.28 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
    Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

    ~/curl ❯❯❯ src/curl -v https://somedomain.com/path

    * Hostname was NOT found in DNS cache
    *   Trying 54.197.232.19...
    * Connected to somedomain.com (54.197.232.19) port 443 (#0)
    * SSL: certificate verification failed (result: 5)
    * Closing connection 0

After doing a git bisect on the repository starting from 7.37.0 to 7.37.1,

> ~/curl git:bisect/good-c6d5f80d8b6ec795a3f88833d6f7c471fe8f2b4c:bisect ❯❯❯ git bisect good
> cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7 is the first bad commit
> commit cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7
> Author: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
> Date:   Thu Apr 17 07:03:05 2014 -0700

>    Add support for --cacert in DarwinSSL.

>    Security Framework on OS X makes it possible to supply extra anchor (CA)
>    certificates via the Certificate, Key, and Trust Services API. This
>    commit makes the '--cacert' option work using this API.

>    More information:
     > https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html


>    The HTTPS tests now pass on OS X except 314, which requires the '--crl' option to work.

> :040000 040000 ff22873e78147e1085203d748d4356bfcb07527e 11e40c9c116e53483e4fdac92b19e3761ae7fe47 M      lib
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-08-19

These mail archives are generated by hypermail.