From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: bug#28948: feh does encounter certificate errors with
	valid	certificates
Date: Sun, 29 Oct 2017 13:27:29 +0100
Message-ID: <871slm5eby.fsf@fastmail.com>
References: <20171022203339.qomgp4xm2rqh4zwe@abyayala>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39975)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e8mhB-0006BB-Tt
	for bug-guix@gnu.org; Sun, 29 Oct 2017 08:28:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e8mh8-0003gY-MV
	for bug-guix@gnu.org; Sun, 29 Oct 2017 08:28:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:59447)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e8mh8-0003g6-9O
	for bug-guix@gnu.org; Sun, 29 Oct 2017 08:28:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e8mh8-0000ki-05
	for bug-guix@gnu.org; Sun, 29 Oct 2017 08:28:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.28948.B28948.15092800532850@debbugs.gnu.org>
In-Reply-To: <20171022203339.qomgp4xm2rqh4zwe@abyayala>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: ng0 <ng0@infotropique.org>, 28948@debbugs.gnu.org

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

ng0 <ng0@infotropique.org> writes:

> feh https://i.imgur.com/263enxT.jpg
> feh opens image
>
> Problem:
> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
> feh: No loadable images specified.
> See 'man feh' for detailed usage information

This is the same issue with libcurl as has been discussed many times in
the past.  Since it won't be fixed upstream any time soon (support for
CURL_CA_BUNDLE has been removed also for Windows), I suggest we "bite
the bullet" this time and add a hard-coded default.

I've verified that this patch works (on GuixSD):


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-gnu-curl-Look-up-SSL-certificates-in-etc-ssl-certs-b.patch
Content-Transfer-Encoding: quoted-printable

From=202ae03883c2526965f1a93cf5c691c41f02dc14b4 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Fri, 9 Jun 2017 16:45:38 +0200
Subject: [PATCH] gnu: curl: Look up SSL certificates in /etc/ssl/certs by
 default.

* gnu/packages/curl.scm (curl)[arguments]<#:configure-flags>: Add '--with-c=
a-path'.
<#:phases>: Delete test that tries to use it.
=2D--
 gnu/packages/curl.scm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 2e4a48d1e..7248a6d40 100644
=2D-- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -67,7 +67,14 @@
        ("pkg-config" ,pkg-config)
        ("python" ,python-2)))
    (arguments
=2D    `(#:configure-flags '("--with-gnutls" "--with-gssapi")
+    `(#:configure-flags '("--with-gnutls" "--with-gssapi"
+                          ;; Hard-code a default CA certificate path so th=
at
+                          ;; most things work "out of the box", at least on
+                          ;; GuixSD and Debian-based distributions.
+                          ;; libcurl does not support overriding this at r=
untime
+                          ;; except through the API, and it's impractical =
to
+                          ;; patch every application to respect CURL_CA_BU=
NDLE.
+                          "--with-ca-bundle=3D/etc/ssl/certs/ca-certificat=
es.crt")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
       #:phases
       (modify-phases %standard-phases
@@ -87,6 +94,10 @@
            (substitute* "tests/runtests.pl"
              (("/bin/sh") (which "sh")))
=20
+           ;; XXX: This test fails because the default CA bundle path
+           ;; does not exist in the build environment.
+           (delete-file "tests/data/test324")
+
            ;; XXX FIXME: Test #1510 seems to work on some machines and not
            ;; others, possibly based on the kernel version.  It works on G=
uixSD
            ;; on x86_64 with linux-libre-4.1, but fails on Hydra for both =
i686
=2D-=20
2.14.3


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln1yTEACgkQoqBt8qM6
VPquBwgAvyCZgJuVsfOm08NVOJQyEMLycO1fdGtdjDB8rfAyjLdEH3/QYv+V/dSX
5edWyv2ThUnHTFxgJeYPW78sfT6IjZrth7pHBoIZVKBQ1yd8VpOYoZIsq+jbPNmB
SuMXuNB0KRebD95NZD4UGaZlPTSM7VT6kQxWIDvPUydWfzwZOAdK4x/ORA9yx8jk
04VVsMBwUS7VfsJarT4uibkS/Kw8gIv0pOH+gy0+gohDb9rDCYY8Hnq5v62NDYZY
ExBHrMMknyLoB3r5Zw3MHv3xgWzW71JT+vfAckwuPFiguAAkYjed28Bh+89Jbagc
dzphiEuqWOFY1OsPYT7oOvhXVg3vTQ==
=Brsk
-----END PGP SIGNATURE-----
--==-=-=--