Apple's macOS cURL Default CA Store Change Raises Security Concerns
Apple’s recent change to macOS’s cURL implementation, which forces the ‑‑cacert option to use the system trust store instead of a user‑supplied certificate bundle, has been criticised by cURL founder Daniel Stenberg as unreliable and potentially insecure, though Apple says the behaviour is intentional and not a bug.
Daniel Stenberg, the founder and lead developer of cURL, criticized Apple for changing the default handling of the --cacert option in macOS, a move that could introduce security risks.
The --cacert option allows users to specify a trusted CA certificate bundle; if verification fails, cURL aborts the transfer.
Added in December 2000, this feature ensures communication with known, trusted servers. Apple’s macOS version, however, ignores the user‑provided bundle and validates against the system CA store instead.
This behavior may cause TLS servers to be accepted unintentionally, creating potential security issues. The issue was first reported on 2023‑12‑28; Apple responded on 2024‑03‑08, stating that the bundled LibreSSL intentionally uses the system trust store and is not a bug to be fixed.
Stenberg disagrees, arguing that the change makes CA verification on macOS unreliable and contradicts documentation. No CVE has been issued for this matter.
Java Tech Enthusiast
Sharing computer programming language knowledge, focusing on Java fundamentals, data structures, related tools, Spring Cloud, IntelliJ IDEA... Book giveaways, red‑packet rewards and other perks await!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.