> On Nov 14, 2017, at 3:47 PM, Ray Satiro via curl-library > <[email protected]> wrote: > > On 11/14/2017 4:26 PM, Kelly Graus wrote: >>> On Nov 14, 2017, at 2:07 PM, Ray Satiro via curl-library >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> On 11/14/2017 3:56 PM, Kelly Graus wrote: >>>> >>>> >>>>> On Nov 14, 2017, at 1:10 PM, Ray Satiro via curl-library >>>>> <[email protected] <mailto:[email protected]>> wrote: >>>>> >>>>> On 11/13/2017 6:43 PM, Kelly Graus wrote: >>>>>> I’ve been using libcurl in an OS X app for several years, linking >>>>>> against the system provided dynamic library. Recently we wanted to add >>>>>> the ability to do a multipart form post, which requires a newer version >>>>>> of libcurl than is provided by Apple. So I downloaded the source and >>>>>> compiled it using the following options: >>>>>> >>>>>> ./configure --prefix=/usr/local/curl --with-darwinssl --enable-static >>>>>> --disable-ldap --disable-ldaps >>>>>> >>>>>> I then link against the static library that is built, and everything >>>>>> works great. >>>>>> >>>>>> However, when I build a release and run it on a different machine, I >>>>>> receive the following error whenever I try to download a file using >>>>>> HTTPS: "Problem with the SSL CA cert (path? access rights?).” >>>>>> >>>>>> I’ve tried in on two test machines, both of which are running slightly >>>>>> older versions of OS X than what I used to compile with (10.11 and >>>>>> 10.12, where I’m using 10.13). I don’t have another 10.13 machine right >>>>>> now to test if this is related to the OS version. >>>>> >>>>> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for >>>>> relevant information. >>>>> >>>>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html >>>>> <https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html> >>>> >>>> Using curl_version_info, I get the following: >>>> >>>> libcurl 7.56.1 >>>> ssl: SecureTransport >>>> host: x86_64-apple-darwin17.2.0 >>>> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, pop3, >>>> pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp >>>> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file, NTLM-WB, >>>> Unix Sockets >>>> >>>> With verbose output enabled, I see the underlying error is "SSL: can't >>>> load CA certificate file /etc/ssl/cert.pem.” I’ve verified that this file >>>> is missing on the machines that don’t work. I’m looking into where those >>>> files are supposed to be from, but if anyone knows it would be greatly >>>> appreciated! >>> >>> That type is tiny i can barely read it. There is only one place it fails >>> with that error in darwinssl.c >>> >>> https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671 >>> <https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671> >>> >>> ... and that would only happen if cafile was set which would only happen if >>> CURLOPT_CAINFO [1] was set in your program or configure set a default >>> location but iirc darwinssl is supposed to use apple's built in certificate >>> store by default. >>> >>> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html >>> <https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html> >>> >> >> I’ve done a search through all our code, we never use CURLOPT_CAINFO. I was >> under the impression that specifying —with-darwinssl and —without-ssl would >> build curl to use only SecureTransport and the OS X keychain, so I’m also >> confused as to why it’s trying to load a certificate from the file system. >> >> You mention a configure option to set the default location - do you have any >> additional information about that? I’m not specifically setting it when >> building, but maybe it’s something I need to disable? > > There's a ca fallback option but it only works for openssl, gnutls and > polarssl. Looking at the configure script it seems it will autodetect a > certificate bundle location for any ssl though, unless I'm reading it wrong. > Are you sure there's no /etc/ssl/cert.pem on the build machine? Try > --without-ca-bundle --without-ca-path
The build machine does have those files (which I’m assuming is why it worked). Those two configure options seems to have sorted everything out. Thanks for your help!
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
