sheagcraig
commented
4 years ago Can I get an idea of who is using mutual TLS for their sal clients to checkin? i.e. do you have the Sal client prefs SSLClientCertificate and optionally SSLClientKey set?
My read on curl's man page is that it wouldn't even work if you had them both set; do you?
If you're using this, are you using an identity that's in the keychain by specifying the name of the cert? Or are you using a path to an actual cert on disk?
Thanks!
I've had mysterious curl failures at my JOB place.
Specifically, if I let curl negotiate to HTTP2 with our sal server, it fails. If I override this in the code to use HTTP1.1 it works.
If I change the path to curl to use a current brew-installed curl, it works.
While I wouldn't say I exhaustively tried to solve this issue, it did make me interested in an alternative approach to Sal client checkins.
I'm working on a branch using python requests with a custom HTTPAdapter that allows you to use the macOS keychain's roots (instead of libressl for curl or certifi for requests) for verifying the server.