Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 207653

Summary: net-misc/curl should give precedence for ssl over gnutls or nss
Product: Gentoo Linux Reporter: xalan <xalanxerces>
Component: New packagesAssignee: Daniel Black (RETIRED) <dragonheart>
Status: RESOLVED LATER    
Severity: trivial CC: jakub
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description xalan 2008-01-27 06:10:24 UTC
For the version 7.17.1 of curl, curl-7.17.1.ebuild gives precedence to gnutls. For. eg. if the user has USE="gnutls ssl nss", then gnutls is selected for SSL implementation because of the following piece of code in the ebuild:  
        if use gnutls; then
                myconf="${myconf} --without-ssl --with-gnutls --without-nss"
        elif use nss; then
                myconf="${myconf} --without-ssl --without-gnutls --with-nss"
        elif use ssl; then
                myconf="${myconf} --without-gnutls --without-nss --with-ssl"
        else
                myconf="${myconf} --without-gnutls --without-nss --without-ssl"
        fi

If you select gnutls for SSL implementation, then curl-config --protocols reports the following:
HTTP
FTP
FILE
TELNET
LDAP
DICT
TFTP

Note it does not support HTTPS or FTPS. I don't know if it *really* means that curl does not support HTTPS or FTPS. However if you give precedence to ssl rather than gnutls then curl-config --protocols will report:
HTTP
HTTPS
FTP
FTPS
FILE
TELNET
LDAP
DICT
TFTP

because it chooses openssl over gnutls for SSL implementation.

I came to notice this problem after I upgraded and my previous application failed to log on to secure webserver using curl. It repeatedly failed saying:"A TLS packet with unexpected length was received". Googling led me to this page:
http://osdir.com/ml/network.lftp.user/2005-11/msg00006.html

I found some other mailing lists also which state gnutls is relatively less mature compared to openssl for SSL implementation. 

The issue only arises when users enable both ssl and gnutls use flags. One way around would be replace the above code snippet as follows:

      if use ssl; then
                myconf="${myconf} --without-gnutls --without-nss --with-ssl"
        elif use gnutls; then
                myconf="${myconf} --without-ssl --without-nss --with-gnutls"
        elif use nss; then
                myconf="${myconf} --without-ssl --without-gnutls --with-nss"
        else
                myconf="${myconf} --without-gnutls --without-nss --without-ssl"
        fi

You might have to also make other changes in the ebuild.

thanks,
xalan

Reproducible: Always

Steps to Reproduce:
1. See description
2.
3.

Actual Results:  
See description
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2008-01-27 09:08:16 UTC
Well, I'd say the ebuild should die and tell user to pick one instead of guessing what he wants - but that's been disliked by our QA. :|
Comment 2 Daniel Stenberg 2008-01-28 11:40:31 UTC
FTPS and HTTPS are both supported with GnuTLS as well, that's a curl-config bug fixed in current CVS (and thus to appear in the upcoming 7.18.0)
Comment 3 Daniel Black (RETIRED) gentoo-dev 2008-04-01 12:29:34 UTC
for the moment I'm not willing to suddenly change behaviour. As Daniel mentioned this is really a curl-config problem (I'll be adding 7.18.1 soon).

I note there is some ebuilds starting to use a openssl USE flag. Once its popularity increases bit more I'll start using it and developing a transition so people know what they are building.