On 11/14/2017 4:26 PM, Kelly Graus wrote: >> On Nov 14, 2017, at 2:07 PM, Ray Satiro via curl-library >> <[email protected] <mailto:[email protected]>> wrote: >> >> On 11/14/2017 3:56 PM, Kelly Graus wrote: >>> >>> >>>> On Nov 14, 2017, at 1:10 PM, Ray Satiro via curl-library >>>> <[email protected] <mailto:[email protected]>> wrote: >>>> >>>> On 11/13/2017 6:43 PM, Kelly Graus wrote: >>>>> I’ve been using libcurl in an OS X app for several years, linking >>>>> against the system provided dynamic library. Recently we wanted >>>>> to add the ability to do a multipart form post, which requires a >>>>> newer version of libcurl than is provided by Apple. So I >>>>> downloaded the source and compiled it using the following options: >>>>> >>>>> ./configure --prefix=/usr/local/curl --with-darwinssl >>>>> --enable-static --disable-ldap --disable-ldaps >>>>> >>>>> I then link against the static library that is built, and >>>>> everything works great. >>>>> >>>>> However, when I build a release and run it on a different machine, >>>>> I receive the following error whenever I try to download a file >>>>> using HTTPS: "Problem with the SSL CA cert (path? access rights?).” >>>>> >>>>> I’ve tried in on two test machines, both of which are running >>>>> slightly older versions of OS X than what I used to compile with >>>>> (10.11 and 10.12, where I’m using 10.13). I don’t have another >>>>> 10.13 machine right now to test if this is related to the OS version. >>>> >>>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for >>>> relevant information. >>>> >>>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html >>> >>> Using curl_version_info, I get the following: >>> >>> libcurl 7.56.1 >>> ssl: SecureTransport >>> host: x86_64-apple-darwin17.2.0 >>> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, >>> pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp >>> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file, >>> NTLM-WB, Unix Sockets >>> >>> With verbose output enabled, I see the underlying error is "SSL: >>> can't load CA certificate file /etc/ssl/cert.pem.” I’ve verified >>> that this file is missing on the machines that don’t work. I’m >>> looking into where those files are supposed to be from, but if >>> anyone knows it would be greatly appreciated! >> >> That type is tiny i can barely read it. There is only one place it >> fails with that error in darwinssl.c >> >> https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671 >> >> ... and that would only happen if cafile was set which would only >> happen if CURLOPT_CAINFO [1] was set in your program or configure set >> a default location but iirc darwinssl is supposed to use apple's >> built in certificate store by default. >> >> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html >> > > I’ve done a search through all our code, we never use CURLOPT_CAINFO. > I was under the impression that specifying —with-darwinssl and > —without-ssl would build curl to use only SecureTransport and the OS X > keychain, so I’m also confused as to why it’s trying to load a > certificate from the file system. > > You mention a configure option to set the default location - do you > have any additional information about that? I’m not specifically > setting it when building, but maybe it’s something I need to disable?
There's a ca fallback option but it only works for openssl, gnutls and polarssl. Looking at the configure script it seems it will autodetect a certificate bundle location for any ssl though, unless I'm reading it wrong. Are you sure there's no /etc/ssl/cert.pem on the build machine? Try --without-ca-bundle --without-ca-path
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
