[yocto] curl-native and ca-bundle

Patrick Ohly patrick.ohly at intel.com
Tue Oct 25 23:41:27 PDT 2016 

On Wed, 2016-10-26 at 06:20 +0000, Blaettler, Michael wrote:
> Hi Patrick
> 
> I just checked the source code of curl.
> 
> In acinclude.m4 on line 2560, you'll find:
> dnl CURL_CHECK_CA_BUNDLE
> dnl -------------------------------------------------
> dnl Check if a default ca-bundle should be used
> dnl
> dnl regarding the paths this will scan:
> dnl /etc/ssl/certs/ca-certificates.crt Debian systems
> dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva
> dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat
> dnl /usr/local/share/certs/ca-root-nss.crt FreeBSD
> dnl /etc/ssl/cert.pem OpenBSD, FreeBSD (symlink)
> dnl /etc/ssl/certs/ (ca path) SUSE
> 
> Later in the function there's a for loop, searching every path for the certificate-chain (if --with-ca-bundle is not set).
> for a in /etc/ssl/certs/ca-certificates.crt \
>          /etc/pki/tls/certs/ca-bundle.crt \
>          /usr/share/ssl/certs/ca-bundle.crt \
>          /usr/local/share/certs/ca-root-nss.crt \
>          /etc/ssl/cert.pem \
>          "$cac"; do
>     if test -f "$a"; then
>         ca="$a"
>         break
>     fi
> done
> 
> Regarding this configuration script, removing --with-ca-bundle in curl-native should not cause any problems.

Quite the opposite, it leads exactly to the problem that I feared.

Suppose you build on distro foo where the configure script finds and
thus hardcodes in the binary ca=/etc/ssl/certs/ca-certificates.crt. Then
you build on distro bar which has /etc/pki/tls/certs/ca-bundle.crt
instead. When using uninative, it is likely that compiling curl-native
anew will be skipped and instead curl-native gets installed from the
sstate that was prepared on distro foo. The result is a curl-native that
doesn't have SSL certificates and thus https will not work.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

More information about the yocto mailing list