Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl

[Greg Troxel <gdt%lexort.com@localhost>]

So, here are adjusted patches.  This is basically what you sent, except
looking for /etc/pki/tls is confined to Linux, and on Linux it's
explicitly pointed to /etc/ssl if that's not found.  That's the same
result as falling through to default, but I think it's easier to
understand.

I also figured out about the EV bundle, and this ignores that, which
seems like the right thing to do.

(Perhaps this search/config should be part of bootstrap, but I don't
want to go there.)

Is this acceptable to you?

objections from anybody else?  (I'm probably the crankiest so am
guessing not.)

Index: security/openssl/builtin.mk
===================================================================
RCS file: /cvsroot/pkgsrc/security/openssl/builtin.mk,v
retrieving revision 1.46
diff -u -p -r1.46 builtin.mk
--- security/openssl/builtin.mk	28 Jan 2020 07:34:57 -0000	1.46
+++ security/openssl/builtin.mk	23 Feb 2021 19:34:50 -0000
@@ -138,6 +138,14 @@ SSLDIR=	${PKG_SYSCONFDIR.openssl}
 .  elif !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
 .    if ${OPSYS} == "NetBSD"
 SSLDIR=	/etc/openssl
+.    elif ${OPSYS} == "Linux"
+.      if exists(/etc/pki/tls)
+# Some distributions have moved to /etc/pki/tls, with incomplete
+# symlinks from /etc/ssl.  Prefer the new location if it exists
+SSLDIR=	/etc/pki/tls 
+.      else
+SSLDIR=	/etc/ssl 		# standard location
+.      endif
 .    elif ${OPSYS} == "Haiku"
 .      if exists(/boot/system/data/ssl)
 SSLDIR=	/boot/system/data/ssl
@@ -152,9 +160,16 @@ SSLDIR=	${PKG_SYSCONFBASEDIR}/openssl
 .  endif
 
 SSLCERTS=	${SSLDIR}/certs
+# Some systems use CA bundles instead of files and hashed symlinks.
+# Continue to define SSLCERTS because it's unclear if that's the
+# directory that has one file per cert, or the directory that contains
+# trust anchor config in some fortm.
+.  if exists(${SSLDIR}/certs/ca-bundle.crt)
+SSLCERTBUNDLE=  ${SSLDIR}/certs/ca-bundle.crt
+.  endif
 SSLKEYS=	${SSLDIR}/private
 
-BUILD_DEFS+=	SSLDIR SSLCERTS SSLKEYS
+BUILD_DEFS+=	SSLDIR SSLCERTS SSLCERTBUNDLE SSLKEYS
 
 # create pc files for builtin version; other versions assumed to contain them
 # If we are using the builtin version, check whether it has a *.pc
Index: www/curl/Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/Makefile,v
retrieving revision 1.238
diff -u -p -r1.238 Makefile
--- www/curl/Makefile	3 Feb 2021 13:17:18 -0000	1.238
+++ www/curl/Makefile	23 Feb 2021 19:34:50 -0000
@@ -19,7 +19,13 @@ USE_TOOLS+=		nroff perl
 USE_LIBTOOL=		yes
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--with-ssl=${BUILDLINK_PREFIX.openssl}
+# Some systems use bundles instead of directories; this needs configuring
+# because curl doesn't use default validation.
+.if !empty(SSLCERTBUNDLE)
+CONFIGURE_ARGS+=	--with-ca-bundle=${SSLCERTBUNDLE}
+.else
 CONFIGURE_ARGS+=	--with-ca-path=${SSLCERTS}
+.endif
 CONFIGURE_ARGS+=	--with-zlib=${BUILDLINK_PREFIX.zlib}
 CONFIGURE_ARGS+=	--without-libpsl
 PKGCONFIG_OVERRIDE=	libcurl.pc.in

Attachment: signature.asc
Description: PGP signature