Certificate Authorities: curl-ca-bundle, certsync, keychain

[Rainer Müller]

On 2013-11-28 15:25, Landon Fuller wrote:
> certsync is tested and works on 10.6+, and is building successfully on all the buildbots, and a MacPorts update has now shipped with support for auto-loading certsync's startup item. I've been running certsync since May without any noticed ill-effects.

I have been using certsync since you announced it here on the list and
so far, I did not experience any problems. I am fine with moving to
certsync as the new default.

For older OS X versions <=10.5, the certsync port could just depend on
the curl-ca-bundle and not install any files. Or should we keep the
path: dependency style anyway to allow using curl-ca-bundle as an
alternative?

> I would like to propose that we move to using certsync by default, as a replacement for curl-ca-bundle. To briefly rehash the benefits of certsync:
> 	- Uses the CAs Apple provides -- that way MacPorts doesn't have to be in the business of distributing CA certificates.
> 	- Also includes any custom CAs that the user has added. This is the case for many people who use internal CAs to sign certificates for their corporate (or personal) services.
> 	- Automatically updates when the System Keychain(s) or trust settings are modified. 

The only catch is that custom added certificates or trust anchors need
to be in the system keychain to be picked up by certsync by default.

As a side note, as of Mavericks the version of curl distributed by Apple
uses SecureTransport instead of OpenSSL and accesses the keychain
directly to check for trusted CAs [1]. Due to this, /usr/bin/curl looses
some functionality. MacPorts' curl still uses OpenSSL and with certsync
it will use the same list of certificates without loosing any functionality.

Rainer

[1] http://curl.haxx.se/mail/archive-2013-10/0036.html