Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates

["David J. Weller-Fahy" <dave%weller-fahy.com@localhost>]

The following reply was made to PR pkg/54130; it has been noted by GNATS.

From: "David J. Weller-Fahy" <dave%weller-fahy.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path,
 curl cannot validate certificates
Date: Fri, 19 Apr 2019 21:25:10 -0400

 --tEFtbjk+mNEviIIX
 Content-Type: multipart/mixed; boundary="uh9ZiVrAOUUm9fzH"
 Content-Disposition: inline
 
 
 --uh9ZiVrAOUUm9fzH
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Disposition: inline
 
 * Leonardo Taccari <leot%NetBSD.org@localhost> [2019-04-19 16:15 -0400]:
 >From: Leonardo Taccari <leot%NetBSD.org@localhost>
 > dave%weller-fahy.com@localhost writes:
 > > [...]
 > > Note that the fix I've included works on my machine, but I'm not
 > > sure if ${SSLCERTS}/ca-bundle.crt is standard or not across
 > > distributions and operating systems.
 > > [...]
 >
 > At least mozilla-rootcerts-openssl doesn't provide anything similar so
 > it's probably different (and I don't think there is any standard).
 >
 > Can mozilla-rootcerts-openssl peacefully coexist in that case?
 
 Sorry for the delay, but I spun up a NetBSD 8.0 vm, checked out
 pkgsrc-current, applied my patch to www/curl, and installed both
 www/curl and mozilla-rootcerts-openssl.
 
 Unfortunately, my original patch causes an error when using curl to
 retrieve the URL I mentioned. See below for command and error.
 
 #v+
 localhost# curl -L https://rpm.nodesource.com/setup_10.x
 curl: (77) error setting certificate verify locations:
   CAfile: /etc/openssl/certs/ca-bundle.crt
   CApath: /etc/openssl/certs
 #v-
 
 While it seems my original modification doesn't work, a twist on it
 does:
 
 #v+
 .if exists(${SSLCERTS}/ca-bundle.crt)
 CONFIGURE_ARGS+=        --with-ca-bundle="${SSLCERTS}/ca-bundle.crt"
 .endif
 #v-
 
 This works, but it must be placed at the end of the file (or, at least,
 after the `.include "../../security/openssl/buildlink3.mk"` line),
 because the SSLCERTS variable is not defined until the
 openssl/buildlink3.mk file is included.
 
 I don't see many conditionals like that at the end of files when
 browsing Makefiles, so don't know if that's an appropriate solution,
 however it solves the problem for me and allows curl to work on native
 NetBSD.
 
 Would the conditional solution placed at the end of the file be
 acceptable? If so, a patch is attached.
 
 Regards,
   -dave
 
 --uh9ZiVrAOUUm9fzH
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="www-curl.patch"
 
 Index: Makefile
 ===================================================================
 RCS file: /cvsroot/pkgsrc/www/curl/Makefile,v
 retrieving revision 1.208
 diff -u -p -r1.208 Makefile
 --- Makefile	31 Mar 2019 20:41:29 -0000	1.208
 +++ Makefile	20 Apr 2019 01:24:49 -0000
 @@ -36,3 +36,7 @@ post-install:
  .include "../../security/openssl/buildlink3.mk"
  .include "../../mk/pthread.buildlink3.mk"
  .include "../../mk/bsd.pkg.mk"
 +
 +.if exists(${SSLCERTS}/ca-bundle.crt)
 +CONFIGURE_ARGS+=	--with-ca-bundle="${SSLCERTS}/ca-bundle.crt"
 +.endif
 
 --uh9ZiVrAOUUm9fzH--
 
 --tEFtbjk+mNEviIIX
 Content-Type: application/pgp-signature; name="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 
 iF0EARECAB0WIQRJZAdtCeMuFIIFC8vNqGiRc5vZTAUCXLp09gAKCRDNqGiRc5vZ
 TAL8AJ4t6VGkeflU/7tCqTSfghiAh9DouQCgh7mhmbROFG8izOA0jg74hF+NIbQ=
 =+Wlr
 -----END PGP SIGNATURE-----
 
 --tEFtbjk+mNEviIIX--