From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: bug#28948: feh does encounter certificate errors with valid certificates Date: Wed, 01 Nov 2017 21:55:01 +0100 Message-ID: <87d1514t3u.fsf@fastmail.com> References: <20171022203339.qomgp4xm2rqh4zwe@abyayala> <87r2tl4iuz.fsf@fastmail.com> <87fua1kqqu.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35166) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eA03S-0000Jc-AE for bug-guix@gnu.org; Wed, 01 Nov 2017 16:56:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eA03O-0007Ul-Br for bug-guix@gnu.org; Wed, 01 Nov 2017 16:56:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:37834) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eA03N-0007UL-VK for bug-guix@gnu.org; Wed, 01 Nov 2017 16:56:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eA03N-0003Hr-Mo for bug-guix@gnu.org; Wed, 01 Nov 2017 16:56:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87fua1kqqu.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ricardo Wurmus Cc: 28948@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ricardo Wurmus writes: > Marius Bakke writes: > >> ng0 writes: >> >>> feh https://i.imgur.com/263enxT.jpg >>> feh opens image >>> >>> Problem: >>> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg >>> feh WARNING: open url: server certificate verification failed. CAfile: = none CRLfile: none >>> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist >>> feh: No loadable images specified. >>> See 'man feh' for detailed usage information >>> >>> nss etc are in my profile, no problem with other curl based application= s. >> >> The attached patch should fix the problem. Can you try it? > > We=E2=80=99ve done something similar in r-curl IIRC. I wonder if we shou= ld just > patch libcurl, so that all users of libcurl would benefit from this chang= e. IIRC the reason it's not supported in libcurl is because getenv() is not thread-safe, whereas libcurl is designed to be. > >> +diff --git a/src/imlib.c b/src/imlib.c >> +index dfb79aa..82a9865 100644 >> +--- a/src/imlib.c >> ++++ b/src/imlib.c >> +@@ -429,6 +429,10 @@ static char *feh_http_load_image(char *url) >> + if (opt.insecure_ssl) { >> + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); >> + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); >> ++ } else { >> ++ // Allow the user to specify custom CA certificates. >> ++ curl_easy_setopt(curl, CURLOPT_CAINFO, >> ++ getenv("CURL_CA_BUNDLE")); >> + } > > Is it safe to pass the empty string to curl_easy_setopt, in case > CURL_CA_BUNDLE is unset? Do we need to check the value first or can we > pass it without checking? getenv() returns NULL if the variable is unset. I'm not sure if it would reset the default on other distros, but it makes no difference for Guix since libcurl does not have a default CA bundle and handles NULL here gracefully. I submitted it upstream in hope of getting feedback/testing there, but it was simply merged as-is: I do agree that it's rather crude, will try to improve it a bit. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln6NKUACgkQoqBt8qM6 VPo0AQgAvSbyaMZiXV3FwNWLc052k+1KYObDE3forKAzKGC7dLtXQMts4/6T3qxb /UQo2ocj4KeKlAyJoOZQFOQRFyusBehcWkvfnWxf7X6J8oRLNOuL/ebPHYVXanPN fhjNl/70InKsx/emV6T5EV9dEQ8oVkAwALMQE2IWXOg0kCCXE03Hpop9qGgGYDHc 8TWBFnaEiWFgwcYK5/w7KfUv1p88e9+gZSiHTZCfZte1LdalRuSERGdvBGORKNw4 Fc5O6iuFmgdz9wORdIHHysib8W1sGveSFoYPCluFj8+gCMl+eV2zwblvY4NvHNWf qaEQatI2/tKcFMLRQZoBkfT5nf5L6g== =wxqf -----END PGP SIGNATURE----- --=-=-=--