[MacPorts] #56404: curl: Inconsistent ca-bundle options among variants

MacPorts noreply at macports.org
Wed May 2 23:21:50 UTC 2018


#56404: curl: Inconsistent ca-bundle options among variants
----------------------+------------------------
  Reporter:  eabalea  |      Owner:  ryandesign
      Type:  defect   |     Status:  assigned
  Priority:  Normal   |  Milestone:
 Component:  ports    |    Version:
Resolution:           |   Keywords:
      Port:  curl     |
----------------------+------------------------

Comment (by eabalea):

 Relying on the system ca-bundle (which is /etc/ssl/cert.pem here) is a bad
 idea. Some of the certificates are 1024bits ones (distrusted by any
 serious root program), and that's why Macports version of curl comes with
 its own curl-ca-bundle.crt file extracted from Mozilla. Setting all
 variants to the same trust anchors is the bare minimum to do.

 Since gnutls and wolfssl are already able to read the system ca-bundle
 file, I guess they're also able to read the Macports curl-ca-bundle one.

 For the darwinssl variant, leaving the ca-bundle option set makes curl
 ignore all Keychain trust settings, which is weird.

 I've posted an issue on curl's GitHub repo regarding the load of
 CURL_CA_BUNDLE file when darwinssl is enabled. If they move and disable
 the ca-bundle when darwinssl is enabled, there's nothing more to do here.

-- 
Ticket URL: <https://trac.macports.org/ticket/56404#comment:5>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list