Curl behaves differently on macOS than documented. Apple thinks it's ok

tldr: Apple thinks everything is fine. Me not.

On December 28, 2023, the Curl bug tracker was submitted bug report 12604. We receive many such reports every day, so this fact in itself was hardly unusual. We read reports, investigate, ask follow-up questions to see what we can learn and what we need to pay attention to.

The name of the problem in this case was quite clear: –cacert flag behavior is incompatible between macOS and Linuxand it was registered by Yuedong Wu.

A friendly reporter showed that the version of Curl that ships with macOS behaves differently than Curl binaries built entirely from open source. Even when running the same version of Curl on the same MacOS computer.

Curl command line option --cacert allows the user to tell Curl what is needed specifically this set of trusted CA certificates. If the TLS server cannot provide a certificate that can be verified using this set, the transfer should fail and return an error.

This behavior and functionality has been installed in Curl for many years (the option was added in December 2000) and, of course, it is intended to ensure that users know that they are interacting with a known and trusted server. A pretty fundamental part of what TLS actually does.

When this command line option is used with curl on macOS, version supplied by Apple apparently rolls back and checks the system CA store in case the supplied set of CA certificates fails verification. Secondary check, which was not asked for, is not documented and, frankly, comes as a complete surprise. This way, when a user runs a check using Curl and a trimmed, highlighted CA certificate file, it won't fail if the CA system store contains a certificate that the server can verify!

This is a security issue, because now suddenly there are certificate checks that shouldn't happen.

I reported this as a security issue in an email sent to Apple Product Security on December 29, 2023, 08:30 UTC. It's not a serious problem, but it is a problem.

Apple says everything is fine

On March 8, 2024, Apple Product Security responded wisely:

Привет,

Еще раз благодарим вас за то, что сообщили нам об этом и предоставили нам время для расследования.

Версия OpenSSL (LibreSSL) от Apple намеренно использует встроенное системное хранилище доверенных сертификатов в качестве источника доверия по умолчанию. Поскольку сертификат сервера можно успешно проверить с помощью встроенного системного хранилища доверенных сертификатов, мы не считаем, что это необходимо учитывать на наших платформах.

С наилучшими пожеланиями,
Сохраняйте спокойствие
Команда безопасности Apple

Case is closed.

I disagree

Obviously I think differently. This undocumented function makes CA certificate verification using Curl on macOS completely unreliable and inconsistent with documentation. Deceives users.

Stay up to date.

Because this is not a security vulnerability in the version of Curl we ship, we have not released a CVE or anything else to address this issue. The problem, strictly speaking, is not even in the Curl code. Curl [в MacOS] comes with the version of LibreSSL that Apple supplies, and [с этой библиотекой Apple] collects Curl for use on its platforms.