When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server!
This is a security problem because now suddenly certificate checks pass that should not pass.
Daniel Stenberg
Absolutely wild that Apple does not consider this a security issue.
I understand the authors concerns, I do not understand at all Apple response. Of course I have to assume what we read in the article as Apple’s response is valid, but I suppose based on the discussed concerns it might not be a valid response.
So do I now have to assume Apple is an insecure platform and Apple as an untrusted source?
cpcf,
I wouldn’t necessarily attribute apple’s libressl changes to malicious intent without clear evidence of that. Assuming the info is correct, the bug report does make it seem created a bug that ought to be fixed even if apple intended to change the certificate store.
https://github.com/curl/curl/issues/12604
This is concerning because 1) it’s a legit bug, but also 2) it could be used nefariously by apple and by extension government agencies that order apple.to comply with wiretapping requests. At the very least the onus is on apple to document the changes. It might be better to provide a run time warning. The failure to disclose this violates user trust IMHO. The binaries allegedly don’t match the source, if true, this is bad since it means the code can’t be audited.
I could chalk all of this up to an innocent mistake or oversight. But with their response they can no longer claim ignorance, any failure to document their changes now become intentional.
@Alfman
Then if true this a clear difference between what Apple does versus what Apple says, that’s a loss of confidence for me, and for some it will be a loss of trust. Your final sentence is telling.
I’m not positive, but this could be related to these apple changes to openssl (before it was forked to libressl).
https://hynek.me/articles/apple-openssl-verification-surprises/
https://nvd.nist.gov/vuln/detail/CVE-2014-2234