On 07/24/17 12:58, Jason Bacon wrote:
On 07/20/17 10:47, Jason Bacon wrote:On 06/16/17 01:38, coypu%sdf.org@localhost wrote:I think we need to should teach curl to look in the right place. It appears it has an option --with-ca-fallback=yes which might have the expected behaviour, as it comes with the description: checking whether to use builtin CA store of SSL library...(So something like ``CONFIGURE_ARGS+= --with-ca-fallback=yes'' in curl'smakefile, and verifying that this line changes from 'no' to 'yes')it looks like it will use openssl's code and certificates to validate ifan earlier option doesn't work. And being a functional change, bump PKGREVISION :-) If that fails we can pass it a CA_PATH, pkgsrc/*/mozilla-rootcerts SSLDIR might contain the right logic for where the certificates are expected to be.Neither --with-ca-fallback=yes (verified in config.log) nor --with-ca-path=/etc/ssl/certs (in place of --with-ca-path=${SSLCERTS}) seemed to have any effect.I can work around it using --with-ca-bundle=/etc/ssl/certs/ca-bundle.crt.I'm curious why --with-ca-path doesn't work. I verified the change in config.log.$ ./configure --with-ssl=/home/bacon/Pkgsrc/pkg-2017Q1 --with-ca-path=/etc/ssl/certs --with-zlib=/home/bacon/Pkgsrc/pkg-2017Q1 --enable-ipv6 --without-libssh2 --without-gssapi --disable-ldap --without-librtmp --with-libidn --without-nghttp2 --prefix=/home/bacon/Pkgsrc/pkg-2017Q1 --build=x86_64-redhat-linux --host=x86_64-redhat-linux --mandir=/home/bacon/Pkgsrc/pkg-2017Q1/manNote to posterity: Found the answer to my question here: https://curl.haxx.se/docs/sslcerts.html--with-ca-path must point to a directory containing individual PEM files, while CentOS /etc/ssl/certs contains only bundles (multiple PEM files concatenated).My solution for now is extracting the cert bundles from /etc/ssl/certs, dumping the individual PEM files into the default pkgsrc cert path (${SSLCERTS} == ${PREFIX}/etc/openssl/certs) after bootstrap.Found a rather elegant approach to this here:https://stackoverflow.com/questions/23644473/how-can-i-split-a-ca-certificate-bundle-into-separate-filesThis is a one-time fix per pkgsrc installation and avoids the need to mess with the pkgsrc cert logic.If anyone can think of a clean way to make this unnecessary, that would be great, but I'm content with the status quo for now.
Better yet...cd security/mozilla-rootcerts-openssl && bmake install NOT_FOR_UNPRIVILEGED=no
I had overlooked this pkg initially when searching for something to populate the ${SSLCERTS} dir because the use of ${MYETCDIR} in PLIST thwarted my "grep etc/openssl/certs" command.
The NOT_FOR_UNPRIVILEGED=no is needed to install as a non-root user, which will not work if using built-in openssl, because it wants to install in /etc in that case.
Hope some of this noise proves useful to someone... -- Earth is a beta site.