MacOS – CA storage for cURL on Mavericks

certificatemacos

I was troubleshooting a problem with Arcanist and Phabricator on MacOSX, a cURL/60 error, but it wasn't clear how to check where the php curl libraries were getting their Certificate Authority trust from.

Where or how does Mavericks handle trust storage for Certificate Authorities and self-signed certificates for cURL and/or the curl libraries? Is there a source of documentation on this which I'm missing?

Nb, I'm pretty new with MacOS.

Best Answer

cURL no longer bundles ANY CA certs; so it rejects all SSL certificates as unverifiable.

You'll need to obtain your CA's cert in order for things to work as they should:

Download the cURL cacert.pem file and save it to your server
update php.ini — add curl.cainfo = "PATH_TO/cacert.pem"
Or add the following and/or similar to your cURL options for each instance:

curl_setopt($ch, CURLOPT_CAINFO, "PATH_TO/cacert.pem");   
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

More information here

Related Solutions

IPad Mail client – IMAP with X.509 client certificates

The question appears to be specific to using X.509 for authentication to an IMAP service, which isn't supported by iOS. S/MIME email encryption and signatures can be performed on iOS, but the authentication to mail services will still use username/password over SSL or TLS.

MacOS – Mac OS X (10.9) and 8192 bit certificates – Error -67762

The answer, as discovered by shizmob, is that Apple moved the location of this preference in Maverics to /Library/Preferences/com.apple.security. So what you need to run is

sudo defaults write /Library/Preferences/com.apple.security RSAMaxKeySize -int 8192

Best Answer

Related Solutions

IPad Mail client – IMAP with X.509 client certificates

MacOS – Mac OS X (10.9) and 8192 bit certificates – Error -67762

Related Question