all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates
@ 2019-09-10 15:37 Ludovic Courtès
  2019-09-10 16:35 ` Ricardo Wurmus
  0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2019-09-10 15:37 UTC (permalink / raw)
  To: bug-Guix

Hello,

The ‘ctest’ command uses libcurl to submit reports to CDash servers.
However, it does not “getenv” anything related to CA certs, and it does
not either look at /etc/ssl/certs.

The culprit is this function:

--8<---------------cut here---------------start------------->8---
std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile)
{
  std::string e;
  if (cafile && *cafile) {
    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
  }
#ifdef CMAKE_FIND_CAFILE
#  define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
  else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {
    ::CURLcode res =
      ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
  }
#  undef CMAKE_CAFILE_FEDORA
  else {
#  define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
    if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) {
      ::CURLcode res =
        ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
      check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
    }
#  undef CMAKE_CAFILE_COMMON
#  define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
    if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) {
      ::CURLcode res =
        ::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
      check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
    }
#  undef CMAKE_CAPATH_COMMON
  }
#endif
  return e;
}
--8<---------------cut here---------------end--------------->8---

The problem is that ‘CMAKE_FIND_CAFILE’ is undefined in our case:

--8<---------------cut here---------------start------------->8---
#if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) &&                    \
  !defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
#  define CMAKE_FIND_CAFILE
#  include "cmSystemTools.h"
#endif
--8<---------------cut here---------------end--------------->8---

Thus it doesn’t look for certificates *at all*, and eventually fails
with:

--8<---------------cut here---------------start------------->8---
   Error when uploading file: …
   Error message was: server certificate verification failed. CAfile: none CRLfile: none
   Problems when submitting via HTTP
Errors while running CTest
--8<---------------cut here---------------end--------------->8---

For now I propose to provide a patched ‘cmake’ package that does the
right thing.

On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
directly in libcurl, which may be the better long-term solution (though
it’s unclear whether that could interfere with application logic.)

Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates
  2019-09-10 15:37 bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates Ludovic Courtès
@ 2019-09-10 16:35 ` Ricardo Wurmus
  2019-09-10 17:05   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 1 reply; 4+ messages in thread
From: Ricardo Wurmus @ 2019-09-10 16:35 UTC (permalink / raw)
  To: 37371


Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> The ‘ctest’ command uses libcurl to submit reports to CDash servers.
> However, it does not “getenv” anything related to CA certs, and it does
> not either look at /etc/ssl/certs.
[…]
>
> For now I propose to provide a patched ‘cmake’ package that does the
> right thing.

This is the correct way, in my opinion.  The user of libcurl is supposed
to handle environment variable lookup.

> On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
> directly in libcurl, which may be the better long-term solution (though
> it’s unclear whether that could interfere with application logic.)

This idea has been around for a pretty long time.  I don’t really like
it, but it would solve so many problems where users of libcurl don’t do
env var lookups and fall back to the default, which is not guaranteed to
exist when using Guix on foreign distros or even on Guix System.

--
Ricardo

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates
  2019-09-10 16:35 ` Ricardo Wurmus
@ 2019-09-10 17:05   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2019-09-10 22:13     ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2019-09-10 17:05 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: 37371

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

Ricardo,

Ricardo Wurmus 写道:
> This is the correct way, in my opinion.  The user of libcurl is 
> supposed
> to handle environment variable lookup.

I'm aware of this, but it seems like some users don't do this.

>> On #guix, Tobias also rightfully suggested adding a ‘getenv’ 
>> call
>> directly in libcurl, which may be the better long-term solution 
>> (though
>> it’s unclear whether that could interfere with application 
>> logic.)
>
> This idea has been around for a pretty long time.  I don’t 
> really like
> it, but it would solve so many problems where users of libcurl 
> don’t do
> env var lookups and fall back to the default, which is not 
> guaranteed to
> exist when using Guix on foreign distros or even on Guix System.

Yeah, I explicitly said it was evil ;-)

I don't ‘like’ it either, but don't know enough about libcurl to 
think of a better solution.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates
  2019-09-10 17:05   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2019-09-10 22:13     ` Ludovic Courtès
  0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2019-09-10 22:13 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: 37371-done

Hello,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> Ricardo Wurmus 写道:
>> This is the correct way, in my opinion.  The user of libcurl is
>> supposed
>> to handle environment variable lookup.
>
> I'm aware of this, but it seems like some users don't do this.

I’ve pushed this as 489d16577e4a6ccc30f3719d9263900089edd842.

We can revisit the libcurl issue later on (as we regularly do :-)).

Thanks for your feedback,
Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-09-10 22:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-10 15:37 bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates Ludovic Courtès
2019-09-10 16:35 ` Ricardo Wurmus
2019-09-10 17:05   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-09-10 22:13     ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.