The Apple curl security incident 12604

When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server!

This is a security problem because now suddenly certificate checks pass that should not pass.

Daniel Stenberg

Absolutely wild that Apple does not consider this a security issue.

4 Comments

  1. 2024-03-11 2:43 am
  2. 2024-03-11 3:49 am
    • 2024-03-11 5:24 pm
  3. 2024-03-11 3:59 am