Hacker News new | ask | show | jobs
by sre2 839 days ago
Curl has the ability to use the OS certificate store. There is also the option (at invocation) to not use any other certificate stores than the one provided by the user (at invocation). The version which is shipped by Apple does ignore this which introduces a backdoor.
1 comments
threeseed 839 days ago
That behaviour is also a curl configuration option i.e. with-ca-fallback.

Curl definitely should be updating man pages if it is falling back to OpenSSL CAs when --cacert is specified.

Homebrew Curl on Mac also sets this flag:

https://github.com/Homebrew/homebrew-core/blob/9cccce7a6dff7...

link
Retr0id 839 days ago
curl (proper) doesn't do that, nor is it supposed to, that's the point
link
threeseed 839 days ago
This behaviour is part of curl (proper) and is set via compile time flags.

And at least according to curl's code is set by default when it is built against OpenSSL:

https://github.com/curl/curl/blob/1ccf1cd9936dfa382fe1f061b6...

link
Retr0id 839 days ago
It's not set by default. (and even when it is set, does it modify the behaviour of the --cacert option?)
link
b112 839 days ago
You mean Apple, who modified the code to work in this broken way.
link