Re: CA bundle for cadaver/neon [PATCH]

To: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Subject: Re: CA bundle for cadaver/neon [PATCH]
From: Taylor R Campbell <campbell+netbsd-tech-pkg%mumble.net@localhost>
Date: Thu, 20 Oct 2022 15:39:47 +0000

> Date: Thu, 20 Oct 2022 14:57:50 +0000
> From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
> 
> On Thu, Oct 20, 2022 at 03:35:09PM +0100, Jonathan Perkin wrote:
> > This won't do what you think, if CURL_SSLCERTBUNDLE will always be defined
> > the !empty test will always be true, I think you meant to use
> > exists().
> 
> Yes, that was my intent. What about this patch?
> 
> --- security/openssl/builtin.mk 25 Aug 2021 11:25:25 -0000      1.48
> +++ security/openssl/builtin.mk 20 Oct 2022 14:55:41 -0000
> @@ -163,10 +163,10 @@
>  # Some systems use CA bundles instead of files and hashed symlinks.
>  # Continue to define SSLCERTS because it's unclear if that's the
>  # directory that has one file per cert, or the directory that contains
>  # trust anchor config in some fortm.
> -.  if exists(${SSLDIR}/certs/ca-bundle.crt)
> -SSLCERTBUNDLE= ${SSLDIR}/certs/ca-bundle.crt
> +.  if exists(${SSLDIR}/certs/ca-cerificates.crt)
> +SSLCERTBUNDLE= ${SSLDIR}/certs/ca-certificates.crt

This is wrong.  The path involving ca-bundle.crt is for platforms that
have their own system-provided root CA certificates; this change will
break those systems.  See this discussion from last year:

https://mail-index.netbsd.org/tech-pkg/2021/02/23/msg024608.html

jperkin: If you think this is wrong, perhaps either the discussion
needs to be revived, or the reasoning needs to be spelled out more
explicitly in the comments here.

> --- www/curl/Makefile   11 May 2022 06:47:02 -0000      1.257
> +++ www/curl/Makefile   20 Oct 2022 14:55:41 -0000
> @@ -22,9 +22,14 @@
>  GNU_CONFIGURE=         yes
>  CONFIGURE_ARGS+=       --with-ssl=${BUILDLINK_PREFIX.openssl}
>  # Some systems use bundles instead of directories; this needs configuring
>  # because curl doesn't use default validation.
> -.if !empty(SSLCERTBUNDLE)
> +# Moreover, we had a previous default at ${SSLCERTS}/ca-bundle.crt
> +# that should be honoured first for backward compatibility sake
> +CURL_SSLCERTBUNDLE=    ${SSLCERTS}/ca-bundle.crt
> +.if exists(CURL_SSLCERTBUNDLE)
> +CONFIGURE_ARGS+=       --with-ca-bundle=${CURL_SSLCERTBUNDLE}
> +.elif !empty(SSLCERTBUNDLE)
>  CONFIGURE_ARGS+=       --with-ca-bundle=${SSLCERTBUNDLE}

I don't understand -- what are you trying to achieve with this patch?

Follow-Ups:
- Re: CA bundle for cadaver/neon [PATCH]
  - From: Emmanuel Dreyfus

References:
- Re: CA bundle for cadaver/neon [PATCH]
  - From: Emmanuel Dreyfus

Prev by Date: Re: CA bundle for cadaver/neon [PATCH]
Next by Date: Re: CA bundle for cadaver/neon [PATCH]
Previous by Thread: Re: CA bundle for cadaver/neon [PATCH]
Next by Thread: Re: CA bundle for cadaver/neon [PATCH]
Indexes:

Home | Main Index | Thread Index | Old Index