Are you having trouble with SSL on El Capitan (OS X 10.11)?
Here are the things I know about it right now:
- OS X’s OpenSSL is ancient (0.9.8-ish).
SecureTransport (OS X’s replacement for OpenSSL) may fall back to using OpenSSL if the environment variable
- Lots of places are “cross-signing” their intermediate certs to upgrade from SHA-1 to SHA-2 for security reasons.
- OS X’s OpenSSL cannot handle the intermediate cross-signing and report that it cannot verify certificates. SecureTransport handles this just fine.
- HomeBrew applications usually don’t support SecureTransport and instead use HomeBrew’s OpenSSL.
/usr/bin/curluses SecureTransport directly, unless you set
Normally, the above is just fine assuming you don’t set the
However, if you work for a company that uses internal certificates then life begins to suck.
Usually want to set
SSL_CERT_FILE so you can tell OpenSSL about the custom certificates but this
curl and anything else that uses SecureTransport. Like
I think the work-around is to not use
SSL_CERT_FILE to update all the
cert.pem files the various OpenSSL versions use:
/usr/local/etc/libressl/cert.pem— HomeBrew’d LibreSSL
/usr/local/etc/openssl/cert.pem— HomeBrew’d OpenSSL
/opt/chefdk/embedded/ssl/cert.pem— ChefDK’s OpenSSL (installed via BrewCask)
/opt/vagrant/embedded/cacert.pem— Vagrant’s OpenSSL (installed via BrewCask)
This is frustrating.