Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upFix CA certificate bundle handling in darwinssl. #115
Conversation
ldx
referenced this pull request
Aug 30, 2014
Closed
Fix CA certificate bundle handling in darwinssl. #114
This comment has been minimized.
This comment has been minimized.
|
Ping @nickzman |
This comment has been minimized.
This comment has been minimized.
|
I'm still experiencing a problem where it will treat files that are not DER certificates as if they were DER certificates. For example, if I set --cacert to the Safari binary that comes with OS X, it treats it like it was a certificate file when it isn't. Why does pem_to_der() return 0 if the separator line is not found? |
This comment has been minimized.
This comment has been minimized.
|
The problem is that SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer is non-valid DER or corrupt. I pushed a commit which adds an extra check via calling SecCertificateCopyPublicKey() to make sure cacert is a valid certificate. It fixes the issue you mention. Pem_to_der() returns the number of bytes it consumed from the input buffer, so that it can be used to traverse through a bundle. If it can't find a separator it assumes the certificate is not a PEM file. |
added a commit
that referenced
this pull request
Sep 1, 2014
nickzman
merged commit 0c14b31
into
curl:master
Sep 1, 2014
1 check passed
This comment has been minimized.
This comment has been minimized.
|
Sorry about before. I was trying to copy & paste the change into the source file, and for some reason, it kept copying the old source without the change that fixed the problem above. Thanks for your work on this! |
ldx commentedAug 30, 2014
If the --cacert option is used with a CA certificate bundle that
contains multiple CA certificates, iterate through it, adding each
certificate as a trusted root CA.