Opened 3 years ago

Last modified 2 weeks ago

#6372 enhancement new

Support native OS X trusted CA database for SSL certificate validation

Reported by: itamar Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: Branch:
Author: Launchpad Bug:


This was originally part of #5446, where Glyph wrote:

On OS X, and again, I haven't done this, I believe you just have to call SSLCopyTrustedRoots to get the default trusted SSL CA certificates and then SecCertificateCopyData on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).

Change History (2)

comment:1 Changed 21 months ago by Alex

Here's some code from go which appears to do this: -- based on calling some APIs inside the Security Framework -- based on invoking some CLI program which prints out a bunch of PEM encoded certificates

comment:2 Changed 2 weeks ago by glyph

The former (calling APIs inside Security Framework) is the right way to go, as it respects the user's current trust settings. The latter just grabs the bundle that was shipped with the OS, irrespective of whether the user has explicitly de-trusted some of those.

Note: See TracTickets for help on using tickets.