Skip to content

Instantly share code, notes, and snippets.

@mtibben

mtibben/bug-report.md

Last active April 30, 2018 20:52
Show Gist options
  • Save mtibben/fff4bccc37c14c42d38aaf5bd7f32c73 to your computer and use it in GitHub Desktop.
Save mtibben/fff4bccc37c14c42d38aaf5bd7f32c73 to your computer and use it in GitHub Desktop.
Download ZIP
Apple bug report 35065812: macOS High Sierra curl does not use certs in the keychain
Raw
bug-report.md

In High Sierra, curl has switched from linking against SecureTransport, to use LibreSSL. However with this change, it seems that curl no longer recognises trusted certificates stored in the keychain.

# note that safari does not trust the site (expected)
$ open -a Safari https://self-signed.badssl.com/

# note that curl does not trust the site (expected)
$ curl https://self-signed.badssl.com
curl: (60) SSL certificate problem: self signed certificate

# trust the self-signed certificate by adding it to the keychain
$ openssl s_client -servername self-signed.badssl.com -connect self-signed.badssl.com:443 </dev/null 2>/dev/null | openssl x509 > self-signed.badssl.com.crt
$ security add-trusted-cert -p ssl -k ~/Library/Keychains/login.keychain-db self-signed.badssl.com.crt

# note that Safari DOES now trust the site (expected)
$ open -a Safari https://self-signed.badssl.com/

# note that curl DOES NOT trust the site (not expected)
$ curl https://self-signed.badssl.com
curl: (60) SSL certificate problem: self signed certificate
@atomdmac
Copy link

atomdmac commented Mar 8, 2018

Thanks for putting this together!

I've been running into this myself and would be interested in keeping an eye on the bug report. Is there a good way to do that? I wasn't able to find the report here when I searched for it with the report ID.

@abeosoft
Copy link

This worked for me: https://apple.stackexchange.com/questions/228865/how-to-install-an-homebrew-package-behind-a-proxy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment