From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: curl_ca_bundle, and gnurl?
Date: Fri, 30 Sep 2016 21:20:01 +0200
Message-ID: <87h98xry8u.fsf@elephly.net>
References: <86fuoiwbfq.fsf@gmail.com> <87shshsw3w.fsf@elephly.net>
	<87d1jllbmc.fsf@we.make.ritual.n0.is>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50375)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bq3M1-0006XR-Jr
	for help-guix@gnu.org; Fri, 30 Sep 2016 15:20:18 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bq3Lx-0008VK-O8
	for help-guix@gnu.org; Fri, 30 Sep 2016 15:20:16 -0400
Received: from sender163-mail.zoho.com ([74.201.84.163]:21315)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bq3Lx-0008Ug-Fi
	for help-guix@gnu.org; Fri, 30 Sep 2016 15:20:13 -0400
In-reply-to: <87d1jllbmc.fsf@we.make.ritual.n0.is>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: ng0 <ngillmann@runbox.com>
Cc: myglc2 <myglc2@gmail.com>, help-guix@gnu.org


ng0 <ngillmann@runbox.com> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> myglc2 <myglc2@gmail.com> writes:
>>
>>> With GuixSD user config ...
> ……
>>>  )
>>
>> You forgot to actually add “nss-certs” to the manifest.  After adding
>> “nss-certs” you need to set the environment variable CURL_CA_BUNDLE:
>>
>>   export CURL_CA_BUNDLE=/home/rekado/.myglc2-profile/etc/ssl/certs/ca-certificates.crt
>>
>> (I only recently patched r-curl to respect this environment variable.
>> We should patch libcurl so that all packages using libcurl understand
>> it.)
>>
>
> I wonder if we need this for gnurl or if the code base of gnurl is still
> curl-like enough that it respects the variable.. last time I tried gnurl
> as a user on its own (which is *not* the intended use) was on Gentoo.
> Gnurl is afaik not (yet) a gnu project and requires no sync with the gnu
> descriptions.. I should add this to the description.

Looking at the sources and searching for “getenv” I see this:

…
gnurl-7_50_3/src/tool_operate.c:    env = curlx_getenv("CURL_CA_BUNDLE");
gnurl-7_50_3/src/tool_operate.c:      env = curlx_getenv("SSL_CERT_DIR");
gnurl-7_50_3/src/tool_operate.c:        env = curlx_getenv("SSL_CERT_FILE");
gnurl-7_50_3/gnurl--/src/tool_operate.c:    env = curlx_getenv("CURL_CA_BUNDLE");
gnurl-7_50_3/gnurl--/src/tool_operate.c:      env = curlx_getenv("SSL_CERT_DIR");
gnurl-7_50_3/gnurl--/src/tool_operate.c:        env = curlx_getenv("SSL_CERT_FILE");
gnurl-7_50_3/gnurl--/lib/Makefile.netware:	@echo $(DL)#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE")$(DL) >> $@
gnurl-7_50_3/gnurl--/lib/curl_setup.h:#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE")
gnurl-7_50_3/gnurl--/lib/vtls/nss.c:  cert_dir = getenv("SSL_DIR");
gnurl-7_50_3/gnurl--/lib/config-dos.h:#define CURL_CA_BUNDLE  getenv("CURL_CA_BUNDLE")
gnurl-7_50_3/lib/Makefile.netware:	@echo $(DL)#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE")$(DL) >> $@
…

It looks like these common environment variables are indeed used for the
tool.  For the library it seems that the environment variable is only
respected when “config-dos.h” is used.  In other cases it’s a fixed file
path:

gnurl-7_50_3/src/Makefile:CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"

So gnurl should also be patched to replace the definition of
CURL_CA_BUNDLE with “getenv("CURL_CA_BUNDLE")”.

> But can you share some insights why curl requires this? For gnurl I rely
> on its test suite, but I think curl does not complain about the missing
> CURL_CA_BUNDLE in its test suite either, or does it?

libcurl expects the user to configure the location of the bundle.  If
this does not happen it defaults to some hardcoded file path.  The
command line tool uses libcurl and overrides the value when the
environment variable CURL_CA_BUNDLE is set.

On Guix we cannot guarantee the existence of the hardcoded default path.
The bundle is not part of the curl package and we cannot presume to know
where the bundle file will be stored.  For per-profile certificates (a
user might want to distrust certain certificates, while another might
want to use the defaults) we should not hardcode this but defer the
decision to the CURL_CA_BUNDLE environment variable.

> And if gnurl should require this, how could I fix gnurl (not the package
> description in guix) to drop this strange behavior if it is possible at
> all?

It would be the same patch: we need to define CURL_CA_BUNDLE to be
“getenv("CURL_CA_BUNDLE)” instead of a fixed path.

~~ Ricardo