--enable-rpc fail on OS X 10.8 about aria2 HOT 15 CLOSED

I think you want a explanation of "[ERROR] Failed to load trusted CA certificates ...".
It means aria2 (actually SSL library it linked to) tries to load system wide CA certificates but failed (you see that reason in the error line).
If you want to make the error disappear, specify CA certificate file using --ca-certificate option.
Alternatively you can use --check-certificate=false, but it is insecure because it turned off certificate checks for HTTPS sites.

from aria2.

@tatsuhiro-t There doesn't seem to be a reasonable choice for --ca-certificate on OSX since certs are handled via Keychain.

from aria2.

The situation in Mac is not good for certs at the moment.
If you have Linux installation, copy ca-certificates.crt to Mac and use it with --ca-certificate.

from aria2.

perhaps we could enlist the help of @nickzman who enabled native OS X crypto features in curl?

from aria2.

I think it works. Still it is a bit fragile because we don't have Mac OS compile platform. We have several Mac OS X only code in aria2, but when they were written, I could use Mac OS machine in compiler farm hosted by sf.jp. But it was gone. If we cannot compile and test on that platform, things can be easily broken.

from aria2.

I'm happy to do any testing. maybe we can find more Mac users who will also help.

from aria2.

Thank you! That is awesome.

from aria2.

comment from Nick:

"What TLS engine does it use? If it uses OpenSSL or GnuTLS or even NSS, then you need to provide it with a collection of trusted root certificates or they won't work. Apple doesn't ship such a collection with OS X anymore outside of the certificates in the system roots keychain.

If you want to use the system roots keychain instead of a certificate bundle, then you either need to use Secure Transport as the TLS engine (best), or write a certificate validation callback that uses the Security framework to evaluate the trust (okay). Apple has deprecated their OpenSSL library in OS X, and iOS doesn't include OpenSSL at all, so it would be better if you use ST instead."

from aria2.

Nick did the Secure Transport (OS X specific) stuff for curl & Marc Hoersken did the schannel (Windows specific) parts for curl.

maybe it is worth looking how curl does these & implementing them for aria2? it seems like there are a number of users on each platform.

https://developer.apple.com/library/mac/#documentation/security/Reference/secureTransportRef/Reference/reference.html

also, how does curl handle ca-certificates.crt? doesn't it provide some update mechanism (update-ca-certificates)? or maybe you could add some documentation for users on platforms that don't include it. http://curl.haxx.se/ca/

from aria2.

Well, one should first define a common interface for TLS as an abstraction, instead of interleaving OpenSSL/GnuTLS code all throughout the socket core code.
Once that is done, one might implement other stuff like OSX ST, Win SChannel/CryptoAPI, NSS bindings.

Also, as a fast work-around for (home)brew users and maybe others, one could teach aria2 configure or runtime to use the CA file brew curl-ca-bundle or other packages provide, just like the aria2 formula https://github.com/mxcl/homebrew/blob/master/Library/Formula/aria2.rb
That is, in the absence of an explicit --with-ca-bundle, check for the CA file in commonly used locations:

• http://mercurial.selenic.com/wiki/CACertificates (Nice list regarding linux distros)
• https://github.com/mxcl/homebrew/blob/master/Library/Formula/aria2.rb (OSX brew)

from aria2.

I heard that curl once bundled ca certificates but it was deprecated. I checked debian's ca-certificate package and it has update script but it relies on the certain directory structure suitable for Debian or Ubuntu.
I agree that abstracting TLS code in SocketCore is a good first step.

from aria2.

would it be worth temporarily having build_osx_release.sh grab CA certs from http://curl.haxx.se/docs/caextract.html ?

from aria2.

I think yes, if it just only need few lines of code.

from aria2.

TLS interface abstraction was complete. See src/TLSSession.h

from aria2.

problem fixed, thanks guys! :)

closing this now.

from aria2.