Skip to content

ssl: support Apple SecTrust configurations #18703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
icing wants to merge 7 commits into from
Closed

ssl: support Apple SecTrust configurations #18703

icing wants to merge 7 commits into from

Conversation

@icing
Copy link
Contributor

@icing icing commented Sep 24, 2025

  • configure/cmake support for enabling the option
  • supported in OpenSSL and GnuTLS backends
  • when configured, Apple SecTrust is the default trust store for peer verification. When one of the CURLOPT_* for adding certificates is used, that default does not apply.
  • add documentation of build options and SSL use

@github-actions github-actions bot added cmdline tool tests CI Continuous Integration labels Sep 24, 2025
@icing icing added TLS appleOS specific to an Apple operating system and removed cmdline tool tests CI Continuous Integration labels Sep 24, 2025
@github-actions github-actions bot added cmdline tool tests CI Continuous Integration labels Sep 24, 2025
@icing icing mentioned this pull request Sep 24, 2025
Closed
@icing icing requested review from bagder, jay and vszakats September 24, 2025 09:54
@icing
Copy link
Contributor Author

icing commented Sep 24, 2025

This is my suggestion on how to add this feature. We could maybe extend this to mbedTLS and wolfSSL, but I was not sure it is worth it. OpenSSL(-like)+GnuTLS should be enough for the start.

The specific behaviour I designed for is:

# uses Apple SecTrust
> curl https://example.com

# uses *only* certs from file.pem
> curl --cacert file.pem https://example.com

# uses *both* certs from file.pem and SecTrust
> curl --ca-native --cacert file.pem https://example.com

This would also happen for a libcurl application. SecTrust would only be used when the applications does not configure any ca file/path/blob. What is currently not possible is:

# still uses Apple SecTrust
> curl --no-ca-native https://example.com

because I could not think of a way to decide if CURLOPT_SSL_OPTIONS flags did just omit CURLSSLOPT_NATIVE_CA because it did not matter before or if it was intentionally left out.

jay
jay reviewed Sep 24, 2025
View reviewed changes
jay
jay reviewed Sep 24, 2025
View reviewed changes
jay
jay reviewed Sep 24, 2025
View reviewed changes
@jay
Copy link
Member

jay commented Sep 24, 2025 

# still uses Apple SecTrust
> curl --no-ca-native https://example.com

because I could not think of a way to decide if CURLOPT_SSL_OPTIONS flags did just omit CURLSSLOPT_NATIVE_CA because it did not matter before or if it was intentionally left out.

That's right it only disables the option which disables passing the flag.

@jay
Copy link
Member

jay commented Sep 24, 2025

I don't know enough Apple to formally review this so I'm going to have to punt. I did take a look at it and left some comments though.

@icing icing force-pushed the apple-sectrust branch 2 times, most recently from 3efe2dc to ab78e43 Compare September 26, 2025 08:36
@bagder
Copy link
Member

bagder commented Oct 2, 2025

Hm, this gets some new CI failures we need to check first

icing added 4 commits October 3, 2025 09:26
@icing
ssl: support Apple SecTrust configurations
496563c 
- configure/cmake support for enabling the option
- supported in OpenSSL and GnuTLS backends
- when configured, Apple SecTrust is the default trust store
  for peer verification. When one of the CURLOPT_* for adding
  certificates is used, that default does not apply.
- add documentation of build options and SSL use
@icing
get rid of trailing space
fd31a77
@icing
spellcheck/codespell
8822d9e
@icing
add SecTrust to spellcheck ignores
9385b4c
icing added 2 commits October 3, 2025 09:26
@icing
updates after review by jay
3fe39a5 
- re-add backend Schannel check to not apply default BUNDLE/PATH
- fix wording/formatting in SSLCERTS.md
- clarify fallback option in INSTALL.md
@icing
add coonfigure/cmake macos CI jobs using Apple SecTrust
fd2e076
@icing icing requested a review from bagder October 3, 2025 08:06
vszakats
vszakats approved these changes Oct 3, 2025
View reviewed changes
Copy link
Member

@vszakats vszakats left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor, likely unrelated, log issue I noticed while testing, is that --doh-url seems to suppress the SSL Trust Anchors: info.

Using the -DUSE_APPLE_SECTRUST=ON dev build curl-macos-universal-clang from https://github.com/curl/curl-for-win/actions/runs/18216661900

$ CURL_CA_BUNDLE=/opt/homebrew/etc/ca-certificates/cert.pem ./curl -q --doh-url https://zero.dns0.eu/ -v https://curl.se/ --out-null

it does only say SSL certificate verified via OpenSSL..

With --doh-url <url> deleted, SSL Trust Anchors: appears as expected.

@icing
Copy link
Contributor Author

icing commented Oct 3, 2025
edited
Loading

Good catch, @vszakats . I need to inspect the DoH code on how it tries to set ca-bundle/-path/native from the initiating transfer.

Update: but when you explicity specify a CA-Bundle, as command line options or via env var, the native CA is turned off. You need to add --ca-native to include it.

@bagder bagder closed this in eefd03c Oct 3, 2025
vszakats added a commit to curl/curl-for-win that referenced this pull request Oct 3, 2025
@vszakats
curl.sh: enable native CA in macos builds (8.17.0+) [ci skip]
532da03 
curl/curl@eefd03c
curl/curl#18703
nono303 pushed a commit to nono303/win-build-scripts that referenced this pull request Oct 22, 2025
8.17
5230fe1 
curl/curl#18703
@vszakats vszakats mentioned this pull request Nov 6, 2025
Closed
vszakats added a commit that referenced this pull request Nov 6, 2025
@vszakats
cmake: disable CURL_CA_PATH auto-detection if USE_APPLE_SECTRUST=ON
9825a3b 
Syncing behavior with `CURL_CA_BUNDLE` and autotools.

`/etc/ssl/certs` is empty by default on macOS systems, thus no likely
auto-detection finds something there.

Follow-up to eefd03c #18703

Closes #19380
@bradking bradking mentioned this pull request Nov 7, 2025
Closed
vszakats added a commit to vszakats/curl that referenced this pull request Nov 27, 2025
@vszakats
pytests: disable two H3 earlydata tests for all platforms (was: macOS)
387bf06 
Follow-up to 692c7f1 curl#19252
Follow-up to eefd03c curl#18703

Fixes curl#19724
@vszakats vszakats mentioned this pull request Nov 27, 2025
Closed
vszakats added a commit that referenced this pull request Nov 27, 2025
@vszakats
pytest: disable two H3 earlydata tests for all platforms (was: macOS)
0081c5b 
Follow-up to 692c7f1 #19252
Follow-up to eefd03c #18703

Ref: #19719
Ref: #19723

Fixes #19724
Closes #19730
@jay jay mentioned this pull request Dec 12, 2025
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jay jay jay left review comments

@bagder bagder bagder approved these changes

@vszakats vszakats vszakats approved these changes

+1 more reviewer

@michael-o michael-o michael-o left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

appleOS specific to an Apple operating system CI Continuous Integration cmdline tool tests TLS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@icing @jay @bagder @michael-o @vszakats