In High Sierra, curl has switched from linking against SecureTransport, to use LibreSSL. However with this change, it seems that curl no longer recognises trusted certificates stored in the keychain.
# note that safari does not trust the site (expected)
$ open -a Safari https://self-signed.badssl.com/
# note that curl does not trust the site (expected)
$ curl https://self-signed.badssl.com
curl: (60) SSL certificate problem: self signed certificate
# trust the self-signed certificate by adding it to the keychain
$ openssl s_client -servername self-signed.badssl.com -connect self-signed.badssl.com:443 </dev/null 2>/dev/null | openssl x509 > self-signed.badssl.com.crt
$ security add-trusted-cert -p ssl -k ~/Library/Keychains/login.keychain-db self-signed.badssl.com.crt
# note that Safari DOES now trust the site (expected)
$ open -a Safari https://self-signed.badssl.com/
# note that curl DOES NOT trust the site (not expected)
$ curl https://self-signed.badssl.com
curl: (60) SSL certificate problem: self signed certificate
Thanks for putting this together!
I've been running into this myself and would be interested in keeping an eye on the bug report. Is there a good way to do that? I wasn't able to find the report here when I searched for it with the report ID.