my curl 7.75.0 can't read a cert from my keychain

[dabraham02124]

I did this

1. installed curl 7.75.0 using brew (up from 7.72.0)
2. curl https://webapp.at.my.company --cert $USER where there's a cert with the value of $USER in the OS X keychain.
3. recieved curl: (58) could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?)
4. I tried again, using /usr/local/Cellar/curl/7.72.0/bin/curl https://webapp.at.my.company --cert $USER and it performed as expected

I expected the following

the webapp response

curl/libcurl version

doesn't work

curl 7.75.0 (x86_64-apple-darwin19.6.0) libcurl/7.75.0 (SecureTransport) OpenSSL/1.1.1j zlib/1.2.11 brotli/1.0.9 zstd/1.4.9 libidn2/2.3.0 libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink MultiSSL NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets zstd

vs
works

curl 7.72.0 (x86_64-apple-darwin19.5.0) libcurl/7.72.0 SecureTransport zlib/1.2.11
Release-Date: 2020-08-19
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile libz NTLM NTLM_WB SSL UnixSockets```

operating system

Darwin {machine} 19.6.0 Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64 x86_64

NB

I'm not at all sure that this is a curl issue, as opposed to "how brew is compiling curl" issue. But I've googled around for other people having the issue, details on how curl talks to the OS X keychain, and not found a lot.

This is not urgent for me, I still have 7.72.0, but I think it would eventually be insecure for me to never upgrade.

Thank you very much. Be well.

[jay]

To use --cert in the way you describe requires using the SecureTransport SSL backend. Your libcurl from brew is built with multiple SSL backends, and (likely) the default backend is set to OpenSSL.

libcurl/7.75.0 (SecureTransport) OpenSSL/1.1.1j

MultiSSL

What you can do is choose the secure transport backend explicitly by setting it in the environment. I think this should work:

CURL_SSL_BACKEND=secure-transport curl https://webapp.at.my.company --cert $USER

[dabraham02124]

1. That does work for me. Thank you!
2. I did go looking for doc on this, did I miss it? I do see CURL_SSL_BACKEND in the man page, but I can't imagine having found it knowing the problem but not the string.
3. Is there a way to set this as the default so I don't have to type it each time?
   1. It looks like I should be able to put it in my .curlrc file, but I get warning: 'CURL_SSL_BACKEND' is unknown, and it doesn't work. I've googled, grepped the man page, and it really looks like this should work.
   2. I also tried setting it as an environment variable. That simply did nothing.

[jay]

CURL_SSL_BACKEND is an environment variable that is used to override the default SSL backend set at build time. It is documented in the libcurl and curl tool sections on environment variables. It is not meant for your curlrc. It is only useful if you built curl for multiple SSL backends ("MultiSSL" feature).

https://curl.se/docs/manpage.html#CURLSSLBACKEND
https://curl.se/libcurl/c/libcurl-env.html#CURLSSLBACKEND

I've proposed PR #6755 to add the SSL backend names: