curl 7.38 bug fix for godaddy ca with openssl #33769
Conversation
When curl is built with brewed openssl, requests to any https urls that use a cert issued by GoDaddy fail with a `curl (60) SSL certificate problem`. Explicitly specifying brewed openssl's cert bundle resolves this issue.
Paging @jacknagel who has had thoughts on this in the past. |
Does it not use this by default (openssl itself does)? |
@jacknagel Apparently not. Here is a short excerpt from the
Which brings up the following: Should homebrew pass the Further evidence: according to
(returns blank) |
Just to confirm this PR does solve the problem presented. Without the explicit definition of which ca path to follow curl doesn't know where to look for the ca and consequently can error out on some domains. I'm not sure that we need to set the |
Does curl (built with openssl) install its own certs or something? IOW, if it only fails for some domains, it presumably is getting certs from somewhere. I'm not opposed to this patch, I'd just like to understand it better. |
No, It doesn't seem to. It doesn't actually seem to explicitly specify where it looks for certs on OS X platforms built against OpenSSL rather than SecureTransport, but this is what it does in the same situation for Windows:
So perhaps it does something like that on OS X. ❓ But I'm not sure where it would find them, given OpenSSL doesn't ship with certs by default AFAIK, and curl doesn't, and OS X doesn't keep its CA bundle inside the The otool for cURL with OpenSSL doesn't reveal anything particularly interesting:
|
Just tried:
|
I installed curl with openssl and it failed to verify every https domain I tried, so I made the commit message more generic. |
I wonder if it's worth throwing a caveat for brewed curl with OpenSSL pointing to cURL's upstream page on the recommended certificate bundle to use & how to obtain that. |
+1 now git with brewed-curl works like a charm. |
When curl is built with brewed openssl, requests to any
https urls that use a cert issued by GoDaddy fail with
a
curl (60) SSL certificate problem
. Explicitlyspecifying brewed openssl's cert bundle resolves this
issue.
Test case: