Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates

To: gnats-bugs%netbsd.org@localhost
Subject: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
From: "David J. Weller-Fahy" <dave%weller-fahy.com@localhost>
Date: Fri, 19 Apr 2019 21:25:10 -0400

* Leonardo Taccari <leot%NetBSD.org@localhost> [2019-04-19 16:15 -0400]:

From: Leonardo Taccari <leot%NetBSD.org@localhost>
dave%weller-fahy.com@localhost writes:
> [...]
> Note that the fix I've included works on my machine, but I'm not
> sure if ${SSLCERTS}/ca-bundle.crt is standard or not across
> distributions and operating systems.
> [...]

At least mozilla-rootcerts-openssl doesn't provide anything similar so
it's probably different (and I don't think there is any standard).

Can mozilla-rootcerts-openssl peacefully coexist in that case?


Sorry for the delay, but I spun up a NetBSD 8.0 vm, checked out
pkgsrc-current, applied my patch to www/curl, and installed both
www/curl and mozilla-rootcerts-openssl.

Unfortunately, my original patch causes an error when using curl to
retrieve the URL I mentioned. See below for command and error.

#v+
localhost# curl -L https://rpm.nodesource.com/setup_10.x
curl: (77) error setting certificate verify locations:
 CAfile: /etc/openssl/certs/ca-bundle.crt
 CApath: /etc/openssl/certs
#v-

While it seems my original modification doesn't work, a twist on it
does:

#v+
.if exists(${SSLCERTS}/ca-bundle.crt)
CONFIGURE_ARGS+=        --with-ca-bundle="${SSLCERTS}/ca-bundle.crt"
.endif
#v-

This works, but it must be placed at the end of the file (or, at least,
after the `.include "../../security/openssl/buildlink3.mk"` line),
because the SSLCERTS variable is not defined until the
openssl/buildlink3.mk file is included.

I don't see many conditionals like that at the end of files when
browsing Makefiles, so don't know if that's an appropriate solution,
however it solves the problem for me and allows curl to work on native
NetBSD.

Would the conditional solution placed at the end of the file be
acceptable? If so, a patch is attached.

Regards,
 -dave

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/Makefile,v
retrieving revision 1.208
diff -u -p -r1.208 Makefile
--- Makefile	31 Mar 2019 20:41:29 -0000	1.208
+++ Makefile	20 Apr 2019 01:24:49 -0000
@@ -36,3 +36,7 @@ post-install:
 .include "../../security/openssl/buildlink3.mk"
 .include "../../mk/pthread.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
+
+.if exists(${SSLCERTS}/ca-bundle.crt)
+CONFIGURE_ARGS+=	--with-ca-bundle="${SSLCERTS}/ca-bundle.crt"
+.endif

Attachment: signature.asc
Description: PGP signature

References:
- Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
  - From: Leonardo Taccari

Prev by Date: Re: pkg/54105: openjade crash building pkgsrc/doc/guide
Next by Date: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
Previous by Thread: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
Next by Thread: Re: pkg/54130: If individual certs do not exist in --with-ca-path, curl cannot validate certificates
Indexes:

Home | Main Index | Thread Index | Old Index