10.9 and curl : a warning

franton
Valued Contributor III

So i've been trying to find out why our DMZ HTTPS DP isn't working anymore. Turns out it's entirely due to the version of curl present in 10.9. (curl is used by the jamf binary to get scripts and packages from HTTPS distribution points it seems).

I'll quote the relevant part of this link: http://curl.haxx.se/mail/archive-2013-10/0036.html

... In Mavericks, Apple changed from curl 7.24.0 to 7.30.0, and in the process, they switched the TLS/SSL engine used by their curl, from OpenSSL to their own Secure Transport engine. Apple's OpenSSL is still at version 0.9.8 and I doubt they will ever upgrade it, so this change improves curl's security. This is because the new engine supports TLS 1.1 and 1.2, and many new-ish cipher suites not supported by that old version of OpenSSL.

Problem i've noticed is this has broken our basic authentication on the server unless I force the "-3" option. I've already flagged this to JAMF in a problem ticket. I'd be curious to hear if anyone else has encountered this.

1 ACCEPTED SOLUTION

franton
Valued Contributor III

So turns out what i'm seeing is part of defect D-006253 .

View solution in original post

3 REPLIES 3

bentoms
Release Candidate Programs Tester

Hi @franton,

Ours seems ok with our internally signed SSL.

What errors you seeing?

FWIW Our DMZ HTTPS DP is also locked down to username & password. (Not sure if that will make a difference).

franton
Valued Contributor III

curl error 35. It fails consistently on the SSL handshake.

So if I run

curl -v -u username:password https://ext-dp.org/Scripts/help.sh
i'll get the SSL handshake error. If then run this
curl -v -u username:password -3 https://ext-dp.org/Scripts/help.sh
which forces SSLv3, it works.

franton
Valued Contributor III

So turns out what i'm seeing is part of defect D-006253 .