cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1404 Certificate verification fails using DarwinSSL

From: Joe Binney <joebinney_at_users.sf.net>
Date: Wed, 20 Aug 2014 00:21:23 +0000

In the meantime, here's a recipe to build/install 7.37.0 for anyone using MacPorts:


    # From a temp directory, check out curl from macports at version 7.37.0
    svn co -r 120297 http://svn.macports.org/repository/macports/trunk/dports/net/curl

    # Enter the port directory
    cd curl

    # Install the port
    sudo port install

    # Open a new terminal window to verify you're now using version 7.37.0
    curl --version
    # curl 7.37.0 (x86_64-apple-darwin14.0.0) libcurl/7.37.0 OpenSSL/1.0.1i zlib/1.2.8 libidn/1.26

---
** [bugs:#1404] Certificate verification fails using DarwinSSL**
**Status:** pending-needsinfo
**Labels:** DarwinSSL 
**Created:** Tue Aug 05, 2014 06:18 PM UTC by Tzu
**Last Updated:** Wed Aug 20, 2014 12:11 AM UTC
**Owner:** nobody
Curl release version 7.37.1 broke SSL negotiation using DarwinSSL. This worked fine on version 7.37.0. As suggested to me earlier on the irc channel, I have built curl from git repository to do a git bisect.

Environment details:
> OS: Mac OS X 10.9.4 (Darwin Kernel Version 13.3.0)
> clang: Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)

    ~/curl ❯❯❯ src/curl --version 
    curl 7.38.0-DEV (x86_64-apple-darwin13.3.0) libcurl/7.38.0-DEV SecureTransport zlib/1.2.5    libidn/1.28 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
    Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

    ~/curl ❯❯❯ src/curl -v https://somedomain.com/path

    * Hostname was NOT found in DNS cache
    *   Trying 54.197.232.19...
    * Connected to somedomain.com (54.197.232.19) port 443 (#0)
    * SSL: certificate verification failed (result: 5)
    * Closing connection 0

After doing a git bisect on the repository starting from 7.37.0 to 7.37.1,

> ~/curl git:bisect/good-c6d5f80d8b6ec795a3f88833d6f7c471fe8f2b4c:bisect ❯❯❯ git bisect good
> cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7 is the first bad commit
> commit cd2cedf002a7639fbb6295a2f9838bc99d4a0bf7
> Author: Vilmos Nebehaj <v.nebehaj_at_gmail.com>
> Date:   Thu Apr 17 07:03:05 2014 -0700

>    Add support for --cacert in DarwinSSL.

>    Security Framework on OS X makes it possible to supply extra anchor (CA)
>    certificates via the Certificate, Key, and Trust Services API. This
>    commit makes the '--cacert' option work using this API.

>    More information:
     > https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html


>    The HTTPS tests now pass on OS X except 314, which requires the '--crl' option to work.

> :040000 040000 ff22873e78147e1085203d748d4356bfcb07527e 11e40c9c116e53483e4fdac92b19e3761ae7fe47 M      lib
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-08-20

These mail archives are generated by hypermail.