From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: curl_ca_bundle, and gnurl? Date: Sat, 01 Oct 2016 11:41:14 +0000 Message-ID: <87mvio70v9.fsf@we.make.ritual.n0.is> References: <86fuoiwbfq.fsf@gmail.com> <87shshsw3w.fsf@elephly.net> <87d1jllbmc.fsf@we.make.ritual.n0.is> <87h98xry8u.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56705) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bqIfe-0006W9-1D for help-guix@gnu.org; Sat, 01 Oct 2016 07:41:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bqIfZ-0000Ne-SW for help-guix@gnu.org; Sat, 01 Oct 2016 07:41:33 -0400 Received: from aibo.runbox.com ([91.220.196.211]:56848) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bqIfZ-0000NB-HY for help-guix@gnu.org; Sat, 01 Oct 2016 07:41:29 -0400 In-Reply-To: <87h98xry8u.fsf@elephly.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Ricardo Wurmus Cc: myglc2 , help-guix@gnu.org Hi, Ricardo Wurmus writes: > ng0 writes: > >> Ricardo Wurmus writes: >> >>> myglc2 writes: >>> >>>> With GuixSD user config ... >> …… >>>> ) >>> >>> You forgot to actually add “nss-certs” to the manifest. After adding >>> “nss-certs” you need to set the environment variable CURL_CA_BUNDLE: >>> >>> export CURL_CA_BUNDLE=/home/rekado/.myglc2-profile/etc/ssl/certs/ca-certificates.crt >>> >>> (I only recently patched r-curl to respect this environment variable. >>> We should patch libcurl so that all packages using libcurl understand >>> it.) >>> >> >> I wonder if we need this for gnurl or if the code base of gnurl is still >> curl-like enough that it respects the variable.. last time I tried gnurl >> as a user on its own (which is *not* the intended use) was on Gentoo. >> Gnurl is afaik not (yet) a gnu project and requires no sync with the gnu >> descriptions.. I should add this to the description. > > Looking at the sources and searching for “getenv” I see this: Thanks for your reply. I'll see that I address the issue in the next version release of gnurl. Prior to using GuixSD I wasn't aware of this, and I do my test builds of gnurl on guixsd and gentoo to assure that there's no mistake from either systems side. > … > gnurl-7_50_3/src/tool_operate.c: env = curlx_getenv("CURL_CA_BUNDLE"); > gnurl-7_50_3/src/tool_operate.c: env = curlx_getenv("SSL_CERT_DIR"); > gnurl-7_50_3/src/tool_operate.c: env = curlx_getenv("SSL_CERT_FILE"); > gnurl-7_50_3/gnurl--/src/tool_operate.c: env = curlx_getenv("CURL_CA_BUNDLE"); > gnurl-7_50_3/gnurl--/src/tool_operate.c: env = curlx_getenv("SSL_CERT_DIR"); > gnurl-7_50_3/gnurl--/src/tool_operate.c: env = curlx_getenv("SSL_CERT_FILE"); > gnurl-7_50_3/gnurl--/lib/Makefile.netware: @echo $(DL)#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE")$(DL) >> $@ > gnurl-7_50_3/gnurl--/lib/curl_setup.h:#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE") > gnurl-7_50_3/gnurl--/lib/vtls/nss.c: cert_dir = getenv("SSL_DIR"); > gnurl-7_50_3/gnurl--/lib/config-dos.h:#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE") > gnurl-7_50_3/lib/Makefile.netware: @echo $(DL)#define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE")$(DL) >> $@ > … > > It looks like these common environment variables are indeed used for the > tool. For the library it seems that the environment variable is only > respected when “config-dos.h” is used. In other cases it’s a fixed file > path: > > gnurl-7_50_3/src/Makefile:CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt" > > So gnurl should also be patched to replace the definition of > CURL_CA_BUNDLE with “getenv("CURL_CA_BUNDLE")”. > >> But can you share some insights why curl requires this? For gnurl I rely >> on its test suite, but I think curl does not complain about the missing >> CURL_CA_BUNDLE in its test suite either, or does it? > > libcurl expects the user to configure the location of the bundle. If > this does not happen it defaults to some hardcoded file path. The > command line tool uses libcurl and overrides the value when the > environment variable CURL_CA_BUNDLE is set. > > On Guix we cannot guarantee the existence of the hardcoded default path. > The bundle is not part of the curl package and we cannot presume to know > where the bundle file will be stored. For per-profile certificates (a > user might want to distrust certain certificates, while another might > want to use the defaults) we should not hardcode this but defer the > decision to the CURL_CA_BUNDLE environment variable. > >> And if gnurl should require this, how could I fix gnurl (not the package >> description in guix) to drop this strange behavior if it is possible at >> all? > > It would be the same patch: we need to define CURL_CA_BUNDLE to be > “getenv("CURL_CA_BUNDLE)” instead of a fixed path. > > ~~ Ricardo > > --