Changes between Initial Version and Version 1 of Ticket #46539, comment 6


Ignore:
Timestamp:
Jan 13, 2015, 8:27:47 AM (9 years ago)
Author:
ned-deily (Ned Deily)
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #46539, comment 6

    initial v1  
    11"AFAICT, the system root CAs are fine, since I can access GitHub from the old versions of Safari and Firefox on 10.5 just fine"
    22
    3 FWIW, on 10.5 (and earlier), the system OpenSSL and curl do not use the same source for root CAs as either Safari or Firefox.  By default, curl looks for a certificate bundle file at /usr/share/curl/curl-ca-bundle.crt, which you can manually update but, as noted above, that still won't help for newer SHA256 certs. The system OpenSSL looks for root CAs in /System/Library/OpenSSL.  Starting in 10.6, if no root CA match is found in /System/Library/OpenSSL, the system OpenSSL will consult the system trust store of certificates via TEA (see https://hynek.me/articles/apple-openssl-verification-surprises/ for details).
     3FWIW, on 10.5 (and earlier), the system OpenSSL and curl do not use the same source for root CAs as either Safari or Firefox.  By default, the system curl looks for a certificate bundle file at /usr/share/curl/curl-ca-bundle.crt, which you can manually update but, as noted above, that still won't help for newer SHA256 certs. The system OpenSSL looks for root CAs in /System/Library/OpenSSL.  Starting in 10.6, if no root CA match is found in /System/Library/OpenSSL, the system OpenSSL will consult the system trust store of certificates via TEA (see https://hynek.me/articles/apple-openssl-verification-surprises/ for details).