[yocto] curl-native and ca-bundle
Patrick Ohly
patrick.ohly at intel.com
Mon Oct 24 06:14:19 PDT 2016
On Mon, 2016-10-24 at 07:20 +0000, Blaettler, Michael wrote:
> Hi all
>
> We just had an issue in regard to curl-native.
> By default curl is configured with the "--with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt" flag.
> In case curl-native is builded the ${sysconfdir} of the current project is compiled into the binary. Due to sstate caching the binary will be reused in other projects, but the ca-bundle is still loaded from the first project. As soon as the first project (where the initial build took place) is deleted, curl-native won't be able to fetch from HTTPS sources, because the ca-path is invalid.
>
> As a quick solution I removed the "--with-ca-bundle" configure option in native builds and curl is now loading the default certificate chain of the build host.
>
> Does anybody found simmilar issues in other recipes?
Yes, we ran into the same issue with a CVE check tool, which also uses
libcurl.
> How do you handle them?
We had to patch the tool so that it can override the CA cert path and
then explicitly override the builtin path at runtime, see:
https://github.com/01org/meta-security-isafw/commit/d844f370d5847da08fef83b916e621ebf6b5fa37
Some colleagues recently noticed that the version of cve-check-tool in
OE-core lacks that patch. I'm not sure whether that was reported,
though. André, Ismo?
> Is there a common approach?
No, not really. Patching binaries was mentioned, but it wasn't clear how
to do that in practice.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
More information about the yocto
mailing list