[MacPorts] #56404: curl: Inconsistent ca-bundle options among variants
MacPorts
noreply at macports.org
Wed May 2 23:21:50 UTC 2018
#56404: curl: Inconsistent ca-bundle options among variants
----------------------+------------------------
Reporter: eabalea | Owner: ryandesign
Type: defect | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: curl |
----------------------+------------------------
Comment (by eabalea):
Relying on the system ca-bundle (which is /etc/ssl/cert.pem here) is a bad
idea. Some of the certificates are 1024bits ones (distrusted by any
serious root program), and that's why Macports version of curl comes with
its own curl-ca-bundle.crt file extracted from Mozilla. Setting all
variants to the same trust anchors is the bare minimum to do.
Since gnutls and wolfssl are already able to read the system ca-bundle
file, I guess they're also able to read the Macports curl-ca-bundle one.
For the darwinssl variant, leaving the ca-bundle option set makes curl
ignore all Keychain trust settings, which is weird.
I've posted an issue on curl's GitHub repo regarding the load of
CURL_CA_BUNDLE file when darwinssl is enabled. If they move and disable
the ca-bundle when darwinssl is enabled, there's nothing more to do here.
--
Ticket URL: <https://trac.macports.org/ticket/56404#comment:5>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list