Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3694390 by 3lcarry
When curl is built with --with-apple-sectrust (or -DUSE_APPLE_SECTRUST=ON) and OpenSSL, the --cert-status / CURLOPT_SSL_VERIFYSTATUS option is silently bypassed when Apple SecTrust handles certificate chain verification instead of OpenSSL.
The user explicitly requests OCSP stapling enforcement, but the connection succeeds even when the server provides no OCSP staple — violating the documented guarantee that curl "aborts the connection" when no OCSP response is received.
In lib/vtls/openssl.c, Curl_ossl_check_peer_cert(), commit b4630ed8fa (2025-10-31, fixing #19307) introduced a sectrust_verified flag that skips OpenSSL's verifystatus() call when Apple SecTrust verified the certificate chain:
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In