>> >> >> On 11/13/2017 6:43 PM, Kelly Graus wrote: >> >> I’ve been using libcurl in an OS X app for several years, linking against >> the system provided dynamic library. Recently we wanted to add the ability >> to do a multipart form post, which requires a newer version of libcurl than >> is provided by Apple. So I downloaded the source and compiled it using the >> following options: >> >> ./configure --prefix=/usr/local/curl --with-darwinssl --enable-static >> --disable-ldap --disable-ldaps >> >> I then link against the static library that is built, and everything works >> great. >> >> However, when I build a release and run it on a different machine, I receive >> the following error whenever I try to download a file using HTTPS: "Problem >> with the SSL CA cert (path? access rights?).” >> >> I’ve tried in on two test machines, both of which are running slightly older >> versions of OS X than what I used to compile with (10.11 and 10.12, where >> I’m using 10.13). I don’t have another 10.13 machine right now to test if >> this is related to the OS version. >> >> What is the curl_version() and turn on CURLOPT_VERBOSE [1] to check for >> relevant information. >> >> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html >> >> Using curl_version_info, I get the following: >> >> libcurl 7.56.1 >> ssl: SecureTransport >> host: x86_64-apple-darwin17.2.0 >> protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, pop3, >> pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp >> features: IPv6, SSL, libz, NTLM, asynchronous DNS, large file, NTLM-WB, Unix >> Sockets >> >> >> With verbose output enabled, I see the underlying error is "SSL: can't load >> CA certificate file /etc/ssl/cert.pem.” I’ve verified that this file is >> missing on the machines that don’t work. I’m looking into where those files >> are supposed to be from, but if anyone knows it would be greatly appreciated! >> >> That type is tiny i can barely read it. There is only one place it fails >> with that error in darwinssl.c >> >> https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/darwinssl.c#L1671 >> >> ... and that would only happen if cafile was set which would only happen if >> CURLOPT_CAINFO [1] was set in your program or configure set a default >> location but iirc darwinssl is supposed to use apple's built in certificate >> store by default. >> >> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html >> >> I’ve done a search through all our code, we never use CURLOPT_CAINFO. I was >> under the impression that specifying —with-darwinssl and —without-ssl would >> build curl to use only SecureTransport and the OS X keychain, so I’m also >> confused as to why it’s trying to load a certificate from the file system. >> >> You mention a configure option to set the default location - do you have any >> additional information about that? I’m not specifically setting it when >> building, but maybe it’s something I need to disable? >> >> There's a ca fallback option but it only works for openssl, gnutls and >> polarssl. Looking at the configure script it seems it will autodetect a >> certificate bundle location for any ssl though, unless I'm reading it wrong. >> Are you sure there's no /etc/ssl/cert.pem on the build machine? Try >> --without-ca-bundle --without-ca-path >> >> The build machine does have those files (which I’m assuming is why it >> worked). Those two configure options seems to have sorted everything out. >> Thanks for your help! >>
Hello! When using a current version of cURL with SecureTransport on macOS (newer than the version of cURL from the system) we explicitly need to set CURLOPT_CAINFO (and CURLOPT_PROXY_CAINFO) to NULL to prevent cURL to additionally check against a CA-Bundle in the file system by default (/etc/ssl/cert.pem). This CA-Bundle file is not synchronized with the key chain and therefore does not contain any manually imported root certificates, and with that the certificate validation fails. Regards, Dominik ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
