Using newer libcurl on OSX

When trying wpscan (https://github.com/wpscanteam/wpscan) on a ssl enabled site, I got the following error:

[!] The WordPress URL supplied 'https://***/' seems to be down

By applying this patch (which will add verbose to libcurl as well):

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 -- a/lib/common/browser.rb
 ++ b/lib/common/browser.rb
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@@ -159,6 +159,7 @@ class Browser
     params.merge!(cookiejar: @cache_dir + '/cookie-jar')
     params.merge!(cookiefile: @cache_dir + '/cookie-jar')
     params.merge!(cookie: @cookie) if @cookie
     params.merge!(verbose: true)

     params
   end

You'll get an error about the SSL connection failed.

This error is being caused by the darwin version of libcurl and can be fixed by manually building a newer version of libcurl and using that library instead. I believe this has to do with the older library isn't (properly) supporting SNI.

$ curl https://curl.haxx.se/download/curl-7.47.1.tar.gz

$ ./configure --with-ssl
$ make

Now you've created the library, we need to use this library instead of the default one.

The osx dynamic library loader supports variables to influence the loading behaviour, more info located here: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dyld.1.html.

$ DYLD_LIBRARY_PATH=$(pwd)/curl/curl-7.47.1/lib/.libs/ ruby wpscan.rb --url https://***/ -e u,tt
_______________________________________________________________  
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: https://***/
[+] Started: Fri Feb 26 12:01:19 2016

[+] robots.txt available under: 'https://***/robots.txt'
[!] The WordPress 'https://***/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <https://***/>; rel=shortlink
[+] Interesting header: SERVER: Apache
[+] Interesting header: SET-COOKIE: _icl_current_language=en; expires=Sat, 27-Feb-2016 11:00:21 GMT; path=/

Now it is working !

The variable DYLDPRINTLIBRARIES can be used to print what libraries are being loaded by the application.