Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 539260 - net-misc/curl disables support for CAfile with USE="curl_ssl_openssl"
Summary: net-misc/curl disables support for CAfile with USE="curl_ssl_openssl"
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Anthony Basile
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-07 18:02 UTC by Julian Ospald
Modified: 2015-03-04 19:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julian Ospald 2015-02-07 18:02:21 UTC 
I don't see a reason to pass --without-ca-bundle.

OpenSSL has two methods to get certificates:
* the bundle in /etc/ssl/cert.pem
(see https://github.com/openssl/openssl/blob/35a1cc90bc1795e8893c11e442790ee7f659fffb/crypto/cryptlib.h#L85)
* the ca-directory with hash-style symlinks in /etc/ssl/certs
(see https://github.com/openssl/openssl/blob/35a1cc90bc1795e8893c11e442790ee7f659fffb/crypto/cryptlib.h#L84)

Curl is a bit special and doesn't seem to strictly adhere to these values (has weird live-filesystem checks to pick a location or allows to hardcode them via --with-ca-bundle=foo as the ebuild does for non-openssl builds), probably because it supports many other libraries.
However... it is common practice to support both methods and first check the bundle file. But the ebuild disables detection of that bundle file and only supports the ca-directory.

That gives us trouble in the libressl overlay.
Comment 1 Julian Ospald 2015-02-07 18:09:42 UTC 
Hm, it seems the curl configuration is broken

checking default CA cert bundle/path... configure: error: Can't specify both --with-ca-bundle and --with-ca-path.

I'll look into it.
Comment 2 Anthony Basile gentoo-dev 2015-02-07 18:18:47 UTC 
(In reply to Julian Ospald (hasufell) from comment #1)
> Hm, it seems the curl configuration is broken
> 
> checking default CA cert bundle/path... configure: error: Can't specify both
> --with-ca-bundle and --with-ca-path.
> 
> I'll look into it.

Yeah, I remember lookign into this when I inherited curl.  You either feed it

  --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt

or 

  --with-ca-path="${EPREFIX}"/etc/ssl/certs

But not both, so you must turn of ca-bundle when you give a ca-patch.  And only with openssl do we use ca-path.  I don't know if its broken so much as that's they way the built the beast.

What problem does it cause on the overlay?
Comment 4 Julian Ospald 2015-02-07 21:08:43 UTC 
https://github.com/bagder/curl/pull/139
Comment 5 Julian Ospald 2015-02-20 15:51:15 UTC 
the pull request got accepted upstream

https://github.com/bagder/curl/commit/90314100e0880144b2d8b7f7d02c51df9d6beece

I think we can:
* backport the patch
* remove the --without-ca-bundle string in line 166 of curl-7.40.0.ebuild
Comment 6 Julian Ospald 2015-02-24 03:28:36 UTC 
poop, anything holding this back?
Comment 7 Anthony Basile gentoo-dev 2015-03-04 19:20:16 UTC 
(In reply to Julian Ospald (hasufell) from comment #6)
> poop, anything holding this back?

peep!  its fixed in =net-misc/curl-7.41.0.  please let me know if i missed anything.

i'm going to shoot for stabilizing 7.41.0 next.