NetBSD Problem Report #54130
From www@netbsd.org Fri Apr 19 19:46:36 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 699DA7A188
for <gnats-bugs@gnats.NetBSD.org>; Fri, 19 Apr 2019 19:46:36 +0000 (UTC)
Message-Id: <20190419194635.555AE7A1C7@mollari.NetBSD.org>
Date: Fri, 19 Apr 2019 19:46:35 +0000 (UTC)
From: dave@weller-fahy.com
Reply-To: dave@weller-fahy.com
To: gnats-bugs@NetBSD.org
Subject: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
X-Send-Pr-Version: www-1.0
>Number: 54130
>Category: pkg
>Synopsis: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 19 19:50:00 +0000 2019
>Closed-Date:
>Last-Modified: Sat Apr 20 16:52:31 +0000 2019
>Originator: David J. Weller-Fahy
>Release: pkgsrc current as of 2019-04-19
>Organization:
N/A
>Environment:
Linux svr 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
>Description:
If the only CA certificates available are via bundles, the default installation of curl (using `bmake install`) sets the configuration parameter `--with-ca-path`, but not `--with-ca-bundle`. This results in a failure of curl to validate certificates upon connection to, for example, https://rpm.nodesource.com/setup_10.x.
Note that the fix I've included works on my machine, but I'm not sure if ${SSLCERTS}/ca-bundle.crt is standard or not across distributions and operating systems.
>How-To-Repeat:
1) Install curl via pkgsrc on CentOS 7, or any other linux that does not have individual certificates available in `/etc/ssl/certs`.
2) Attempt to execute `curl -sL https://rpm.nodesource.com/setup_10.x`.
>Fix:
retrieving revision 1.208
diff -u -p -r1.208 Makefile
--- Makefile 31 Mar 2019 20:41:29 -0000 1.208
+++ Makefile 19 Apr 2019 19:44:42 -0000
@@ -17,6 +17,7 @@ USE_TOOLS+= nroff perl
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-ssl=${BUILDLINK_PREFIX.openssl}
+CONFIGURE_ARGS+= --with-ca-bundle=${SSLCERTS}/ca-bundle.crt
CONFIGURE_ARGS+= --with-ca-path=${SSLCERTS}
CONFIGURE_ARGS+= --with-zlib=${BUILDLINK_PREFIX.zlib}
PKGCONFIG_OVERRIDE= libcurl.pc.in
>Release-Note:
>Audit-Trail:
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
Date: Fri, 19 Apr 2019 22:10:36 +0200
Hello Dave,
dave@weller-fahy.com writes:
> [...]
> If the only CA certificates available are via bundles, the default
> installation of curl (using `bmake install`) sets the configuration
> parameter `--with-ca-path`, but not `--with-ca-bundle`. This results
> in a failure of curl to validate certificates upon connection to,
> for example, https://rpm.nodesource.com/setup_10.x.
>
> Note that the fix I've included works on my machine, but I'm not
> sure if ${SSLCERTS}/ca-bundle.crt is standard or not across
> distributions and operating systems.
> [...]
At least mozilla-rootcerts-openssl doesn't provide anything similar
so it's probably different (and I don't think there is any
standard).
Can mozilla-rootcerts-openssl peacefully coexist in that case?
From: "David J. Weller-Fahy" <dave@weller-fahy.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path,
curl cannot validate certificates
Date: Fri, 19 Apr 2019 21:25:10 -0400
--tEFtbjk+mNEviIIX
Content-Type: multipart/mixed; boundary="uh9ZiVrAOUUm9fzH"
Content-Disposition: inline
--uh9ZiVrAOUUm9fzH
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
* Leonardo Taccari <leot@NetBSD.org> [2019-04-19 16:15 -0400]:
>From: Leonardo Taccari <leot@NetBSD.org>
> dave@weller-fahy.com writes:
> > [...]
> > Note that the fix I've included works on my machine, but I'm not
> > sure if ${SSLCERTS}/ca-bundle.crt is standard or not across
> > distributions and operating systems.
> > [...]
>
> At least mozilla-rootcerts-openssl doesn't provide anything similar so
> it's probably different (and I don't think there is any standard).
>
> Can mozilla-rootcerts-openssl peacefully coexist in that case?
Sorry for the delay, but I spun up a NetBSD 8.0 vm, checked out
pkgsrc-current, applied my patch to www/curl, and installed both
www/curl and mozilla-rootcerts-openssl.
Unfortunately, my original patch causes an error when using curl to
retrieve the URL I mentioned. See below for command and error.
#v+
localhost# curl -L https://rpm.nodesource.com/setup_10.x
curl: (77) error setting certificate verify locations:
CAfile: /etc/openssl/certs/ca-bundle.crt
CApath: /etc/openssl/certs
#v-
While it seems my original modification doesn't work, a twist on it
does:
#v+
.if exists(${SSLCERTS}/ca-bundle.crt)
CONFIGURE_ARGS+= --with-ca-bundle="${SSLCERTS}/ca-bundle.crt"
.endif
#v-
This works, but it must be placed at the end of the file (or, at least,
after the `.include "../../security/openssl/buildlink3.mk"` line),
because the SSLCERTS variable is not defined until the
openssl/buildlink3.mk file is included.
I don't see many conditionals like that at the end of files when
browsing Makefiles, so don't know if that's an appropriate solution,
however it solves the problem for me and allows curl to work on native
NetBSD.
Would the conditional solution placed at the end of the file be
acceptable? If so, a patch is attached.
Regards,
-dave
--uh9ZiVrAOUUm9fzH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="www-curl.patch"
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/Makefile,v
retrieving revision 1.208
diff -u -p -r1.208 Makefile
--- Makefile 31 Mar 2019 20:41:29 -0000 1.208
+++ Makefile 20 Apr 2019 01:24:49 -0000
@@ -36,3 +36,7 @@ post-install:
.include "../../security/openssl/buildlink3.mk"
.include "../../mk/pthread.buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
+
+.if exists(${SSLCERTS}/ca-bundle.crt)
+CONFIGURE_ARGS+= --with-ca-bundle="${SSLCERTS}/ca-bundle.crt"
+.endif
--uh9ZiVrAOUUm9fzH--
--tEFtbjk+mNEviIIX
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRJZAdtCeMuFIIFC8vNqGiRc5vZTAUCXLp09gAKCRDNqGiRc5vZ
TAL8AJ4t6VGkeflU/7tCqTSfghiAh9DouQCgh7mhmbROFG8izOA0jg74hF+NIbQ=
=+Wlr
-----END PGP SIGNATURE-----
--tEFtbjk+mNEviIIX--
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
Date: Sat, 20 Apr 2019 12:00:46 +0200
David J. Weller-Fahy writes:
> [...]
> I don't see many conditionals like that at the end of files when
> browsing Makefiles, so don't know if that's an appropriate solution,
> however it solves the problem for me and allows curl to work on native
> NetBSD.
>
> Would the conditional solution placed at the end of the file be
> acceptable? If so, a patch is attached.
> [...]
Sorry, the question and possible solution to this problem was:
what happens if mozilla-rootcerts-openssl are installed on the
problematic platform? (I think they will peacefully coexists and then
every packages that uses ${SSLCERTS} will properly work)
State-Changed-From-To: open->feedback
State-Changed-By: leot@NetBSD.org
State-Changed-When: Sat, 20 Apr 2019 11:50:52 +0000
State-Changed-Why:
Feedback requested.
From: "David J. Weller-Fahy" <dave@weller-fahy.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path,
curl cannot validate certificates
Date: Sat, 20 Apr 2019 08:52:52 -0400
--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
* Leonardo Taccari <leot@NetBSD.org> [2019-04-20 06:05 -0400]:
>The following reply was made to PR pkg/54130; it has been noted by GNATS.
>
>From: Leonardo Taccari <leot@NetBSD.org>
>To: gnats-bugs@NetBSD.org
>Cc:
>Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
>Date: Sat, 20 Apr 2019 12:00:46 +0200
>
> David J. Weller-Fahy writes:
> > [...]
> > I don't see many conditionals like that at the end of files when
> > browsing Makefiles, so don't know if that's an appropriate solution,
> > however it solves the problem for me and allows curl to work on native
> > NetBSD.
> >
> > Would the conditional solution placed at the end of the file be
> > acceptable? If so, a patch is attached.
> > [...]
>
> Sorry, the question and possible solution to this problem was:
> what happens if mozilla-rootcerts-openssl are installed on the
> problematic platform? (I think they will peacefully coexists and then
> every packages that uses ${SSLCERTS} will properly work)
Ah, I misunderstood: as I have pkgsrc installed in unprivileged mode I
cannot install security/mozilla-rootcerts-openssl.
--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRJZAdtCeMuFIIFC8vNqGiRc5vZTAUCXLsWJAAKCRDNqGiRc5vZ
TARVAJwPybgfdINN8w5l/S+kLCrzIJvkSQCfTShLkusAyVaHkUnNVo0cXdrTRQs=
=zfuf
-----END PGP SIGNATURE-----
--3V7upXqbjpZ4EhLz--
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
Date: Sat, 20 Apr 2019 15:16:57 +0200
David J. Weller-Fahy writes:
> [...]
> Ah, I misunderstood: as I have pkgsrc installed in unprivileged mode I
> cannot install security/mozilla-rootcerts-openssl.
> [...]
Thanks!
In that case unfortunately I think that possible way to address that are
(apart local patch has you have proposed):
- prefer pkgsrc openssl, in that way I think that
mozilla-rootcerts-openssl will be installable
- workaround that by setting appropriate environment variables
(CURL_CA_BUNDLE and/or SSL_CERT_FILE)
IMHO the patch proposed could actually leads to possible more
surprising results (e.g. then curl behaviour will depends on the
platform where it will build if the cabundle file was present or
not.).^[0]
[0]: gnutls had actually such problem: it unconditionally checked
cabundle, capath files and depending if such files were present in
the system set their preferred locations and that wasn't
particularly fun to debug. :)
From: "David J. Weller-Fahy" <dave@weller-fahy.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path,
curl cannot validate certificates
Date: Sat, 20 Apr 2019 11:48:14 -0400
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
* Leonardo Taccari <leot@NetBSD.org> [2019-04-20 09:20 -0400]:
> In that case unfortunately I think that possible way to address that
> are (apart local patch has you have proposed):
> [...]
>
> - workaround that by setting appropriate environment variables
> (CURL_CA_BUNDLE and/or SSL_CERT_FILE)
Thanks!
That sounds like an eminently sensible and easy to implement solution -
I didn't even think about external variables (probably because I was
working within pkgsrc), and can easily throw something in my .profile
that will make sure this is set where appropriate.
> IMHO the patch proposed could actually leads to possible more
> surprising results (e.g. then curl behaviour will depends on the
> platform where it will build if the cabundle file was present or
> not.).^[0]
>
> [0]: gnutls had actually such problem: it unconditionally checked
> cabundle, capath files and depending if such files were present in
> the system set their preferred locations and that wasn't
> particularly fun to debug. :)
Understood, and thanks for helping me solve this!
-dave
--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRJZAdtCeMuFIIFC8vNqGiRc5vZTAUCXLs/PgAKCRDNqGiRc5vZ
TKquAJ4iIsK4rufkOrHEoath846Y1TvdPgCgpK4u5dsmxmkSzvt6IrUnx0QRZy0=
=k8Na
-----END PGP SIGNATURE-----
--FCuugMFkClbJLl1L--
State-Changed-From-To: feedback->open
State-Changed-By: leot@NetBSD.org
State-Changed-When: Sat, 20 Apr 2019 16:52:31 +0000
State-Changed-Why:
Feedback provided, possible workarounds suggested
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.