Re: Connections fail on iOS with Secure Transport

Mon, 02 Oct 2023 00:17:28 -0700 

On 10/1/2023 12:56 PM, Andrew Patterson via curl-library wrote:
We've been using libcurl for years but for a long time we were running with peer validation disabled. I know that's terrible, and it wasn't my decision, but I'm attempting to remedy it now. 


It took a couple of hours, but I figured out how to get SSL working 
correctly with libcurl on Android, but I've been stymied on iOS. We 
were linking it with OpenSSL (like on Android) but I couldn't figure 
out where to find the certificates on iOS. I know I could upload the 
cacert.pem from the libcurl website, but I'd like to get this working 
in a way that doesn't require us to keep updating the certificates if 
I could.



To that end, one of my colleagues wondered why we weren't just using 
the Secure Transport option -- and that seemed like a good question. I 
had no problem building it (We use CMake, so I 
added -DCMAKE_USE_SECTRANSP=ON) but I still can't connect when 
attempting a network connection with peer verification enabled. I'm 
very confident that the secure transport code is being utilized, 
because the error message (see below) comes from lib/vtls/sectransp.c.


I hooked up the debug callback and got this (text only):

  Trying [REDACTED]:443...
Debug: Connected to  [REDACTED] ([REDACTED]) port 443 (#0)
Debug: ALPN, offering http/1.1
Debug: SSL: can't load CA certificate file /etc/ssl/cert.pem
Debug: Closing connection 0

Additional information: curlResult was 77.


Any idea what I'm doing wrong? I really thought switching to Secure 
Transport would be the silver bullet so I'd appreciate any 
suggestions, regardless of whether they're build step or code related!




That error is because CURLOPT_CAINFO was set to a certificate bundle 
that can't be loaded. [1][2] If you want to use the OS cert store 
instead you'll have to disable that option. From the doc, regarding 
secure transport, "If the option is not set, then curl uses the 
certificates in the system and user Keychain to verify the peer."



[1]: 
https://github.com/curl/curl/blob/curl-8_3_0/lib/vtls/sectransp.c#L1991-L2000

[2]: https://curl.se/libcurl/c/CURLOPT_CAINFO.html

--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html






















					Reply via email to