Skip to main content

in reply to daniel:// stenberg://

if doing a tool working everywhere is not already hard enough, some vendors decide to actively work against us and sneakily add backdoor functionality so that curl does not work the same way on their platforms. So now our documentation is wrong. But only if you use the curl bundled by Apple with macOS. If you get curl with homebrew on the same machine, it will act as documented..
in reply to daniel:// stenberg://

this is the sort of thing that causes open source projects to get restrictive about trademarks...
in reply to daniel:// stenberg://

Always annoying when vendors prevent you doing an apples to apples comparison.
in reply to daniel:// stenberg://

isn’t this the same thing with git? And python? Rule of thumb is never use the garbo that Apple ships with its os directly.
in reply to Fingel

@Fingel I wouldn't know, I don't use macOs myself anymore than I have to...
in reply to daniel:// stenberg://

Good to know! I generally build and install curl under #MacPorts with the gnutls variant. However, there is no variant that builds against Apple's flavor of LibreSSL. The default build may use the MacPorts version of LibreSSL, if installed in place of OpenSSL.
in reply to daniel:// stenberg://

daniel, i respect and admire you for your considerate and respectful behavior, but would it be appropriate to point out the potential of unintended #mitm interception more clearly in this case?
i mean, the title could also have been "apple does not want you to notice when you are being wiretapped", or do i miss any other precaution they took for this not to happen?

also, i find it shocking that i don't find this shocking any more… 🤯

#mitm
This entry was edited (8 months ago)
in reply to Nils Goroll 🕊️

@slink it is not in my interests to be alarmist. I believe I describe the problems in the blog post.
in reply to daniel:// stenberg://

Minor clarification nitpick: It's not unreliable with "curl on an apple OS", it's unreliable with "apple's build of curl".
in reply to daniel:// stenberg://

holy crap, that’s a huge difference. Sometimes you use that flag for highly sensitive communication with mTLS.
in reply to daniel:// stenberg://

But did Apple also change the curl manpage to reflect their changes? If so there's no discrepancy between documentation and implementation.
This entry was edited (8 months ago)
in reply to daniel:// stenberg://

they should just put that “extended behavior” behind a new command line flag/environment variable.
in reply to daniel:// stenberg://

Do you happen to know if the fallback check is enforcing certificate transparency?
in reply to Maximilian Hils

@max I don't think anyone knows details about the check since the LibreSSL source code they use don't seem to be provided anywhere and Apple's brief comment about did not say a lot.