Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make libcurl look in the Mac Keychain for certificates

My code is trying to access an HTTPS server and it has its own certificate. Example, the IP is "10.0.1.101".

If I go through Safari and access "http://10.0.1.101", everything's OK. I do a simple curl_easy_perform() for this URL and data can be pulled from the HTTP URL. Cool.

I then try to access "https://10.0.1.101" (yes, HTTPS) and from Safari, I accept the certificate and give it a "trust" option and after that, Safari access to the HTTPS URL is OK.

So the certificate has been added to the Mac Keychain but when I try a curl_easy_perform() on the HTTPS URL, it still returns with a CURLE_SSL_CACERT. libcurl could not authenticate the HTTPS certificate with known CA certificates.

What is the missing link between libcurl's certificate checking and Mac Keychain? Is there even a link at all? Is it possible to make libcurl look into the Mac Keychain for certificates? If so, how?

like image 735
radj Avatar asked Sep 16 '11 01:09

radj


People also ask

How do I view certificate chain on Mac?

In the Keychain Access app on Mac, select a keychain, then click either the My Certificates category or the Certificates category to see the certificates in that keychain. Select the certificate you want to view, then click the Info button in the toolbar. You can also double-click the certificate you want to view.

How do you validate certificates on a Mac?

In the Keychain Access app on your Mac, click Certificates in the Category list, then double-click the certificate you want to evaluate. Choose Keychain Access > Certificate Assistant > Evaluate [certificate name].

Where does curl get certificates?

Curl verifies the SSL certificate of the target URL against the local CA certificate store that comes with the Curl installation. CA certificates are retrieved from the Mozilla CA certificate store and can be manually updated by downloading the cacert.


1 Answers

"New" curl on Mac OS does not "look" at system Keychain database (old curl versions worked great with -E option).

You can still make it work with curl on newer versions of Mac OS:

brew install curl

(installs version of curl that works with Client Certificates read from Keychain)

and then something like:

/usr/local/opt/curl/bin/curl -E wlad https://mail.securedbyclientcertificate.com/access/

(in -E you type name of your client certificate in Keychain database)

Mac OS will ask you for permission to read from Keychain, type your MacOS password and select "Always Allow"..

like image 113
wlad Avatar answered Oct 10 '22 02:10

wlad