-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Error on macOS, when --insecure flag is given. #1184
Comments
Not an issue. You get that error if you put curl into insecure mode while simultaneously specifying a server certificate file or bundle. In general, you shouldn't specify a server certificate file or bundle using curl on macOS unless you really know what you're doing. The option is there, and is intended for backward compatibility with scripts that also have to run on other operating systems where using the Keychain is not an option. If that does not describe your use case, then just let curl use the Keychain for trust evaluation. And if you have any self-signed certificates, then use certtool or Keychain Access to add them to your Keychain. |
If insecure mode is specified why don't we just ignore the bundle? I can see how it might be beneficial to put --cacert FILE into a curlrc and then let's say on the command line you want to go insecure, why does it matter if the bundle was specified? |
The --cacert/--capath and --insecure options contradict each other. That would be okay on back-ends that wholly rely on a third-party certificate database, e.g. OpenSSL. But Secure Transport is intended to be used with macOS' Keychain as a certificate database, with a third-party option only in place for backward compatibility. Since they're overriding the default behavior in contradictory ways, I think it makes sense to tell the user to pick one way or the other. We do also say in the documentation that, when Secure Transport is in use, the --cacert option is only provided for backward compatibility reasons. |
I see your point about the contradiction but I disagree. I'm saying there are reasonable scenarios where it may happen there are contradictory options. Someone may have in their script or their program an option that adds the cacert, and then later on in some other function in their program or point in their script they decide to add insecure for that transfer. AFAICT with every other backend insecure will work regardless of cacert. Is there any reason why we can't do that for Secure Transport as well, and wouldn't it also be helpful for backwards compatibility and consistency? |
I am not specifying a server certificate file or bundle, not explicitly, at least. Also, I am pointing out that same version of curl, built with same configuration options, behaves differently on different OSX versions. Here is the code that was generated.
|
Then the attached patch ought to allow the contradictory commands. Does it solve the original report? Also, it is possible to specify the certificate bundle in the curlrc, isn't it? |
It does. Thank you. Also, when invoking the configure script with the argument I think the default, especially when using SecureTransport, should be configure:
relevant output:
|
Thanks. Daniel might know more, but I think that certificate bundle is always listed there but not actually used in the ST engine. I still suspect you have something in your curlrc file that is using a certificate bundle somewhere if you're not using the --cacert option. |
I did this
./curl --insecure https://www.google.com
I expected the following
html document from google:
<!doctype html><html itemscope="" itemtype="...
Instead, I got this message
curl: (35) SSL: CA certificate set, but certificate verification is disabled
curl/libcurl version
operating system
System Version: macOS 10.12.2 (16C67)
Kernel Version: Darwin 16.3.0
configuration
verbose
On an older osx, with the same version of libcurl as above, and same configuration, I do get the expected behavior. Following are some of the details:
curl/libcurl version
configuration
I did this
$ ./curl --insecure https://www.google.com
I got this
html document from google:
<!doctype html><html itemscope="" itemtype="...
The text was updated successfully, but these errors were encountered: