Using cURL on MacOSX
Introduction
MacOSX comes with cURL and openssl pre-installed in the /usr/bin directory and this uses Apple's Secure Transport. This means the MacOSX cURL will not accept PEM files for Two Way TLS client authentication and will result in an error.
MacOSX cURL does allow the use of PFX files, but it works by populating the MacOSX keychain with the private key on first run of cURL.
The use of PEM files can be achieved by installing a brew version of cURL and openssl. The use of PEM files is important when using third party applications like PHP which comes pre-installed, but is compiled with a version of cURL that uses Apple's Secure Transport (brew PHP install instructions are provided below).
Brew install of openssl and cURL on MacOSX
Verify default installed versions
From a terminal run the following to identity the version and location of your current cURL binary:
curl --version
which curl # normally defaulted to location /usr/bin/curl
Run the following to verify that PHP is installed on your MacOSX:
php -i | grep "SSL Version"
you'll see this if PHP is compiled to use Apple's Secure Transport:
SSL Version => SecureTransport
Install cURL with openssl using brew
Brew is installed on MacOSX by default. The instructions provided below can be used to install and uninstall the brew versions of cURL and openssl.
Note: Installing cURL and openssl independently will not work. Run the single command below to ensure they tie-up together.
brew install --with-openssl curl
Setup your local path to access cURL and openssl from the /usr/local/opt directory.
export PATH="/usr/local/opt/curl/bin:$PATH"
export PATH="/usr/local/opt/openssl/bin:$PATH"
Use the commands below to verify the cURL version and binary being used.
curl --version
which curl
Uninstall cURL with openssl
To use the original MacOSX cURL and openssl, revert the PATH changes above.
Run the following commands to uninstall brew versions of cURL and openssl.
brew uninstall curl
brew uninstall openssl
Two Way TLS using PFX
The SAC downloaded from the portal will be a PFX containing the the public certificate and private key. The following example shows how MacOSX pre-installed cURL on the command line can be used to perform Two Way TLS client authentication using this PFX.
curl -d -X POST <url> -E <pfx> --pass <pfx password>
On MacOSX this works by adding the private key into the keychain for client authentication to access. You may be requested by the keychain to allow access if you had previously imported into the keychain by other means.
Two Way TLS using PEM and brew version of cURL
The pre-installed MacOSX openssl will not covert PFX to PEM successfully. Use the brew version of openssl to convert the PFX into PEM format.
To export the PFX into a single PEM file.
openssl pkcs12 -in <pfx> -out <file.withkey.pem>
Run the same cURL command as before but this time passing in the PEM file.
curl -d -X POST <url> -E <file.withkey.pem> --pass <pem password>
Note: The above will fail when using pre-installed cURL on MacOSX.
Install brew version of PHP
Ensure you have the latest version of XCode and install xcode-select. The brew PHP install will be trying to find the zlib library within the XCode directory.
xcode-select --install
Setup brew to tap into other additional GIT repositories for PHP installable components.
brew tap homebrew/versions
brew tap homebrew/php
Identify the version of apache installed on your MacOSX.
httpd -v
If the version is not using apache 2.4, you can remove --with-httpd24 from the below command.
Install PHP using the brew version of cURL and openssl.
brew install --with-homebrew-curl --with-httpd24 php55
Setup the path to run brew PHP from the command line.
export PATH="$(brew --prefix homebrew/php/php55)/bin:$PATH"
Verify that PHP on the command line is not using Apple's Secure Transport.
php -i | grep "SSL Version"
The SSL Version returned should not refer to Secure Transport.
SSL Version => OpenSSL/1.0.2l
The RapID PHP server SDK will work successfully with the brew version of PHP.
If the brew version of PHP is required in Apache, then follow the brew instructions displayed after a successful install.