Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768912

Summary: net-misc/curl[curl_ssl_nss] should pull in dev-libs/nss-pem
Product: Gentoo Linux Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: Current packagesAssignee: Anthony Basile <blueness>
Status: RESOLVED FIXED    
Severity: normal CC: herrtimson, mozilla, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=743995
https://bugs.gentoo.org/show_bug.cgi?id=750752
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 769578    
Bug Blocks:    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-05 21:51:46 UTC 
While debugging an issue why dev-php/composer fails with

> [Composer\Downloader\TransportException]
>  curl error 77 while downloading https://repo.packagist.org/packages.json: Problem with the SSL CA cert (path? access rights?)

I noticed that Composer is setting "cafile" to "CURLOPT_CAINFO" and "capath" to "CURLOPT_CAPATH" (https://github.com/composer/composer/blob/2.0.9/src/Composer/Util/Http/CurlDownloader.php#L61-L62).

To quote cURL documentation (https://curl.se/libcurl/c/CURLOPT_CAINFO.html):

> If CURLOPT_SSL_VERIFYPEER is zero and you avoid verifying the server's
> certificate, CURLOPT_CAINFO need not even indicate an accessible file.
> 
> This option is by default set to the system path where libcurl's cacert
> bundle is assumed to be stored, as established at build time.
> 
> If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module
> (libnsspem.so) needs to be available for this option to work properly.
> Starting with curl-7.55.0, if both CURLOPT_CAINFO and CURLOPT_CAPATH are
> unset, NSS-linked libcurl tries to load libnssckbi.so, which contains a
> more comprehensive set of trust information than supported by nss-pem,
> because libnssckbi.so also includes information about distrusted
> certificates.

This will not just affect dev-lang/php -- this will affect any application linking against cURL using built-in defaults.

So I think net-misc/curl[curl_ssl_nss] should pull in dev-libs/nss-pem.
Comment 1 Anthony Basile gentoo-dev 2021-02-08 16:20:46 UTC 
*** Bug 743995 has been marked as a duplicate of this bug. ***
Comment 2 Anthony Basile gentoo-dev 2021-02-08 16:28:13 UTC 
(In reply to Thomas Deutschmann from comment #0)

> So I think net-misc/curl[curl_ssl_nss] should pull in dev-libs/nss-pem.

Currently I am using ca-certificates.

RDEPEND="
    ...
    ssl? (
        ...
        nss? (
            dev-libs/nss:0[${MULTILIB_USEDEP}]
            app-misc/ca-certificates
        )
    )
"

Why doesn't dev-lib/nss pick up on that?  I'm cc-ing the mozilla team to give me some insight here.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-08 18:10:43 UTC 
I am also on Mozilla team. Let me try to answer:

dev-libs/nss itself provides its own trust store. Firefox and Thunderbird are known examples which aren't using system certificate store and rely on certificates provided by nss.

Therefore it would be wrong to pull in dev-libs/nss-pem with dev-libs/nss.

But you are using dev-libs/nss with system certificate store which will require dev-libs/nss-pem.
Comment 4 Anthony Basile gentoo-dev 2021-02-08 18:43:42 UTC 
(In reply to Thomas Deutschmann from comment #3)
> I am also on Mozilla team. Let me try to answer:
> 
> dev-libs/nss itself provides its own trust store. Firefox and Thunderbird
> are known examples which aren't using system certificate store and rely on
> certificates provided by nss.
> 
> Therefore it would be wrong to pull in dev-libs/nss-pem with dev-libs/nss.
> 
> But you are using dev-libs/nss with system certificate store which will
> require dev-libs/nss-pem.

Are you suggesting the following?

        nss? (
            dev-libs/nss:0[${MULTILIB_USEDEP}]
            dev-libs/nss-pem
            app-misc/ca-certificates
        )

My concern is that nss-pem is not stable on any system and is only keyworded for amd64 and arm64.

Can you advise?
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-08 19:24:14 UTC 
Yes, that is my suggestion.

I filed a keyword request for dev-libs/nss-pem, bug 769578.
Comment 6 Anthony Basile gentoo-dev 2021-02-09 00:11:24 UTC 
(In reply to Thomas Deutschmann from comment #5)
> Yes, that is my suggestion.
> 
> I filed a keyword request for dev-libs/nss-pem, bug 769578.

Okay, I'll add this after the keywording is done.
Comment 7 Armando Di Cianno 2021-10-15 23:26:00 UTC 
Just encountered a problem / side-effect of this issue trying to pull the flutter public git repo over https with net-misc/curl-7.79.1 installed.

e.g.
> fatal: unable to access 'https://github.com/flutter/flutter.git/':
> Problem with the SSL CA cert (path? access rights?)

So, first:
net-misc/curl USE="nss -openssl" CURL_SSL="nss" works.
net-misc/curl USE="nss openssl" CURL_SSL="nss" fails.

However, as described here:
net-misc/curl USE="nss openssl" CURL_SSL="nss" *and* installing dev-libs/nss-pem
... also fixes the issue.

So there seems to be more than one option, depending on use case. Users should be stopped from installing curl with conflicting use flags and/or nss-pem needs to be drawn in if +nss is on.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-16 02:23:18 UTC 
(In reply to Anthony Basile from comment #6)
> (In reply to Thomas Deutschmann from comment #5)
> > Yes, that is my suggestion.
> > 
> > I filed a keyword request for dev-libs/nss-pem, bug 769578.
> 
> Okay, I'll add this after the keywording is done.

Keywording is done, can you have a look?
Comment 9 Anthony Basile gentoo-dev 2022-09-04 16:17:39 UTC 
(In reply to Sam James from comment #8)
> (In reply to Anthony Basile from comment #6)
> > (In reply to Thomas Deutschmann from comment #5)
> > > Yes, that is my suggestion.
> > > 
> > > I filed a keyword request for dev-libs/nss-pem, bug 769578.
> > 
> > Okay, I'll add this after the keywording is done.
> 
> Keywording is done, can you have a look?

Now dev-libs/nss-pem needs keywording on riscv.  I'll work on that and then commit the change in proposed in comment #4.
Comment 10 Larry the Git Cow gentoo-dev 2022-09-05 16:35:38 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49bf70035d505816abbb3b3d24d696bbd8da17d7

commit 49bf70035d505816abbb3b3d24d696bbd8da17d7
Author:     Anthony G. Basile <blueness@gentoo.org>
AuthorDate: 2022-09-05 16:34:48 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2022-09-05 16:35:34 +0000

    net-misc/curl: depend on dev-libs/nss-pem when CURL_SSL=nss
    
    Closes: https://bugs.gentoo.org/768912
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-misc/curl/{curl-7.85.0-r1.ebuild => curl-7.85.0-r2.ebuild} | 1 +
 1 file changed, 1 insertion(+)