From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Raghav Gururajan" Subject: bug#34861: TLS Error with Flatpak Date: Mon, 18 Mar 2019 23:10:48 +0000 Message-ID: <2d04774df83fe600777de7b8f26aca87@disroot.org> References: <87ef73yiyr.fsf@elephly.net> <87imwgpl5e.fsf@gnu.org> <002a84964102ac2171089fa7dc007092@disroot.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--=_RainLoop_231_772500090.1552950648" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:46812) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h61PT-00046l-Ns for bug-guix@gnu.org; Mon, 18 Mar 2019 19:11:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h61PS-0005wx-Cp for bug-guix@gnu.org; Mon, 18 Mar 2019 19:11:11 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35800) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h61PM-0005mX-AH for bug-guix@gnu.org; Mon, 18 Mar 2019 19:11:10 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1h61PL-0000mu-UG for bug-guix@gnu.org; Mon, 18 Mar 2019 19:11:04 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87ef73yiyr.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ricardo Wurmus Cc: 34861@debbugs.gnu.org ----=_RainLoop_231_772500090.1552950648 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Ricardo!=0A=0APlease find the following information.=0A=0AFROM FLAT= PAK SOURECODE:=0A=0ASoupSession *=0Aflatpak_create_soup_session (const ch= ar *user_agent)=0A{=0ASoupSession *soup_session;=0Aconst char *http_proxy= ;=0A=0Asoup_session =3D soup_session_new_with_options (SOUP_SESSION_USER_= AGENT, user_agent,=0ASOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,=0ASOUP_SE= SSION_USE_THREAD_CONTEXT, TRUE,=0ASOUP_SESSION_TIMEOUT, 60,=0ASOUP_SESSIO= N_IDLE_TIMEOUT, 60,=0ANULL);=0Asoup_session_remove_feature_by_type (soup_= session, SOUP_TYPE_CONTENT_DECODER);=0Ahttp_proxy =3D g_getenv ("http_pro= xy");=0Aif (http_proxy)=0A{=0Ag_autoptr(SoupURI) proxy_uri =3D soup_uri_n= ew (http_proxy);=0Aif (!proxy_uri)=0Ag_warning ("Invalid proxy URI '%s'",= http_proxy);=0Aelse=0Ag_object_set (soup_session, SOUP_SESSION_PROXY_URI= , proxy_uri, NULL);=0A}=0A=0Aif (g_getenv ("OSTREE_DEBUG_HTTP"))=0Asoup_s= ession_add_feature (soup_session, (SoupSessionFeature *) soup_logger_new = (SOUP_LOGGER_LOG_BODY, 500));=0A=0Areturn soup_session;=0A}=0A=0AFROM LIB= SOUP MANUAL:=0A=0AThe =E2=80=9Cssl-use-system-ca-file=E2=80=9D property= =0A=0A=E2=80=9Cssl-use-system-ca-file=E2=80=9D gboolean=0A=0ASetting this= to TRUE is equivalent to setting =E2=80=9Ctls-database=E2=80=9D to the d= efault system CA database. (and likewise, setting =E2=80=9Ctls-database= =E2=80=9D to the default database by hand will cause this property to bec= ome TRUE).=0A=0ASetting this to FALSE (when it was previously TRUE) will = clear the =E2=80=9Ctls-database=E2=80=9D field.=0A=0ASee =E2=80=9Cssl-str= ict=E2=80=9D for more information on how https certificate validation is = handled.=0A=0AThe =E2=80=9Cssl-strict=E2=80=9D property=0A=0A=E2=80=9Cssl= -strict=E2=80=9D gboolean=0A=0ANormally, if =E2=80=9Ctls-database=E2=80= =9D is set (including if it was set via =E2=80=9Cssl-use-system-ca-file= =E2=80=9D or =E2=80=9Cssl-ca-file=E2=80=9D), then libsoup will reject any= certificate that is invalid (ie, expired) or that is not signed by one o= f the given CA certificates, and the SoupMessage will fail with the statu= s SOUP_STATUS_SSL_FAILED.=0A=0AIf you set =E2=80=9Cssl-strict=E2=80=9D to= FALSE, then all certificates will be accepted, and you will need to call= soup_message_get_https_status() to distinguish valid from invalid certif= icates. (This can be used, eg, if you want to accept invalid certificates= after giving some sort of warning.)=0A=0AFor a plain SoupSession, if the= session has no CA file or TLS database, and this property is TRUE, then = all certificates will be rejected.=0A=0A--=0ARegards,=0ARG.=0A=0AMarch 18= , 2019 9:24 PM, "Ricardo Wurmus" wrote:=0A Raghav Gururajan writes:=0A Yes, I did them. Still did not work.=0A=0AI did the fo= llowing to set env variables:=0A=0A$ guix package -i nss-certs=0A$ export= SSL_CERT_DIR=3D"$HOME/.guix-profile/etc/ssl/certs"=0A$ export SSL_CERT_F= ILE=3D"$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"=0A$ export = GIT_SSL_CAINFO=3D"$SSL_CERT_FILE" =0A=0AFlatpak uses libsoup with SOUP_SE= SSION_SSL_USE_SYSTEM_CA_FILE. libsoup=0Adelegates TLS handling to glib-ne= tworking.=0A=0ARaghav, could you trace flatpak to see what certificate fi= les it is=0Atrying to access?=0A=0A--=0ARicardo ----=_RainLoop_231_772500090.1552950648 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
H= ello Ricardo!

Please find the following information.

FROM FLATPAK SOURECODE:

SoupSession *
flatpak_create= _soup_session (const char *user_agent)
{
SoupSession *soup_session;=
const char *http_proxy;

soup_session =3D soup_session_new_with= _options (SOUP_SESSION_USER_AGENT, user_agent,
SOUP_SESSION_SSL_USE_SY= STEM_CA_FILE, TRUE,
SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
SOUP_SES= SION_TIMEOUT, 60,
SOUP_SESSION_IDLE_TIMEOUT, 60,
NULL);
soup_ses= sion_remove_feature_by_type (soup_session, SOUP_TYPE_CONTENT_DECODER);http_proxy =3D g_getenv ("http_proxy");
if (http_proxy)
{
g_aut= optr(SoupURI) proxy_uri =3D soup_uri_new (http_proxy);
if (!proxy_uri)=
g_warning ("Invalid proxy URI '%s'", http_proxy);
else
g_object= _set (soup_session, SOUP_SESSION_PROXY_URI, proxy_uri, NULL);
}
if (g_getenv ("OSTREE_DEBUG_HTTP"))
soup_session_add_feature (soup_se= ssion, (SoupSessionFeature *) soup_logger_new (SOUP_LOGGER_LOG_BODY, 500)= );

return soup_session;
}

FROM LIBSOUP MANUAL:

The =E2=80=9Cssl-use-system-ca-file=E2=80=9D prope= rty

=E2=80=9Cssl-use-system-ca-file=E2=80=9D gboolean
=
Setting this to TRUE is equivalent to setting =E2=80=9Ctls-database= =E2=80=9D to the default system CA database. (and likewise, setting =E2= =80=9Ctls-database=E2=80=9D to the default database by hand will cause th= is property to become TRUE).

Setting this to FALSE (when it was pr= eviously TRUE) will clear the =E2=80=9Ctls-database=E2=80=9D field.
See =E2=80=9Cssl-strict=E2=80=9D for more information on how https cert= ificate validation is handled.

The =E2=80=9Cssl-strict=E2= =80=9D property

=E2=80=9Cssl-strict=E2=80=9D gboolean
=
Normally, if =E2=80=9Ctls-database=E2=80=9D is set (including if it w= as set via =E2=80=9Cssl-use-system-ca-file=E2=80=9D or =E2=80=9Cssl-ca-fi= le=E2=80=9D), then libsoup will reject any certificate that is invalid (i= e, expired) or that is not signed by one of the given CA certificates, an= d the SoupMessage will fail with the status SOUP_STATUS_SSL_FAILED.
If you set =E2=80=9Cssl-strict=E2=80=9D to FALSE, then all certificates= will be accepted, and you will need to call soup_message_get_https_statu= s() to distinguish valid from invalid certificates. (This can be used, eg= , if you want to accept invalid certificates after giving some sort of wa= rning.)

For a plain SoupSession, if the session has no CA file or = TLS database, and this property is TRUE, then all certificates will be re= jected.

--
Regards,
RG.

March 18, 2019 9:24 PM, "Rica= rdo Wurmus" <rekado@elephly.net> wrote:
Raghav Gururajan <rvgn@disroot.org> writes:
Yes, I did them. Still did not work.

I did the following= to set env variables:

$ guix package -i nss-certs
$ export SSL= _CERT_DIR=3D"$HOME/.guix-profile/etc/ssl/certs"
$ export SSL_CERT_FILE= =3D"$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
$ export GI= T_SSL_CAINFO=3D"$SSL_CERT_FILE"

Flatpak uses libsoup= with SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE. libsoup
delegates TLS handl= ing to glib-networking.

Raghav, could you trace flatpak to see wha= t certificate files it is
trying to access?

--
Ricardo
----=_RainLoop_231_772500090.1552950648--