Is My Bug Report Related to "goto fail" Vulnerability?

Apple recently suffered an embarrassing security vulnerability known as the "goto fail" bug when an SSL certificate check was done wrong.

This reminded me of a bug report I filed earlier about some changes Apple made to SSL that broke my Free Audit Aggregation System (FAAS), and I have to wonder if somewhere the problem I was having and this "goto fail" bug intersected at some point. At a minimum, it shows Apple was breaking people's crypto code (e.g., curl command line program and php), which would have made it harder to spot the original source of the problem.

Speaking for myself, when something that, according to documentation, should work but doesn't, I start trying lots of things hoping to find something that does work. We call these "work arounds". Perhaps the extra "goto fail" line in Apple's code was a work around to make something else pass a test?

Below is my bug report that I posted on 25 June 2013 followed by an update added later that same day:

Original bug report 25-June-2013 11:56 AM


When using curl (either the command-line tool or embedded in a PHP script) to connect to a web server over HTTPS that uses a self-signed certificate, passing the certificate to curl doesn't help. The connection fails.

Steps to Reproduce:

(1) Create a web server that uses a self-signed certificate. I'm using Mountain Lion with the Server App.

(2) Get a local copy of server's certificate. I use

$ echo -n | openssl s_client -connect | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt

(3) Use that certificate to connect the the server web server over HTTPS via curl

$ curl --cacert server.crt

Expected Results:

The HTML for the page.

Actual Results:

curl: (60) SSL certificate problem: Invalid certificate chain


This works properly on Lion and Mountain Lion, but it fails on 10.9 DP1 and DP2


The workaround is to turn off checking of the server's certificate. For the curl command line, this is the -k option

$ curl -k https://your-secure-server/

For curl embedded in PHP use the following line

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,false);

Update 25-June-2013 01:31 PM

I added the certificate to my keychain, and now I can use curl (both command line and inside PHP).

You might want to add a developer note that -k for the curl command, and

    curl_setopt($ch, CURLOPT_CAINFO, $certificate_file);

inside PHP is essentially a no-op for OS X 10.9 and the certificates should be added to the keychain.