I don't see a reason to pass --without-ca-bundle. OpenSSL has two methods to get certificates: * the bundle in /etc/ssl/cert.pem (see https://github.com/openssl/openssl/blob/35a1cc90bc1795e8893c11e442790ee7f659fffb/crypto/cryptlib.h#L85) * the ca-directory with hash-style symlinks in /etc/ssl/certs (see https://github.com/openssl/openssl/blob/35a1cc90bc1795e8893c11e442790ee7f659fffb/crypto/cryptlib.h#L84) Curl is a bit special and doesn't seem to strictly adhere to these values (has weird live-filesystem checks to pick a location or allows to hardcode them via --with-ca-bundle=foo as the ebuild does for non-openssl builds), probably because it supports many other libraries. However... it is common practice to support both methods and first check the bundle file. But the ebuild disables detection of that bundle file and only supports the ca-directory. That gives us trouble in the libressl overlay.
Hm, it seems the curl configuration is broken checking default CA cert bundle/path... configure: error: Can't specify both --with-ca-bundle and --with-ca-path. I'll look into it.
(In reply to Julian Ospald (hasufell) from comment #1) > Hm, it seems the curl configuration is broken > > checking default CA cert bundle/path... configure: error: Can't specify both > --with-ca-bundle and --with-ca-path. > > I'll look into it. Yeah, I remember lookign into this when I inherited curl. You either feed it --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt or --with-ca-path="${EPREFIX}"/etc/ssl/certs But not both, so you must turn of ca-bundle when you give a ca-patch. And only with openssl do we use ca-path. I don't know if its broken so much as that's they way the built the beast. What problem does it cause on the overlay?
https://github.com/hasufell/curl/commit/2265e0ff1d10765ddf962f1bc483aa269c6591db#diff-8fb104c402dc51bdffef05a372f32aa2R594 what do you think?
https://github.com/bagder/curl/pull/139
the pull request got accepted upstream https://github.com/bagder/curl/commit/90314100e0880144b2d8b7f7d02c51df9d6beece I think we can: * backport the patch * remove the --without-ca-bundle string in line 166 of curl-7.40.0.ebuild
poop, anything holding this back?
(In reply to Julian Ospald (hasufell) from comment #6) > poop, anything holding this back? peep! its fixed in =net-misc/curl-7.41.0. please let me know if i missed anything. i'm going to shoot for stabilizing 7.41.0 next.