openssl: add x509 cert chain handling patches #38897
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,12 +21,20 @@ class Openssl < Formula | |
keg_only :provided_by_osx, | ||
"Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries" | ||
|
||
# This is a workaround for Apple removing the Equifax Secure CA root from the System in 10.10.3 | ||
# Their doing so has broken certificate verification and consquently secure connection for dependants. | ||
# Scope this to Yosemite and remove immediately once Apple have fixed the issue. | ||
resource "Equifax_CA" do | ||
url "https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem" | ||
sha256 "f24e19fb93983b4fd0a377335613305f330c699892c789356eb216449804d0e9" | ||
# Remove both patches with the 1.0.2b release. | ||
# They fix: | ||
# https://github.com/Homebrew/homebrew/pull/38495 | ||
# https://github.com/Homebrew/homebrew/issues/38491 | ||
# Upstream discussions: | ||
# https://www.mail-archive.com/openssl-dev@openssl.org/msg38674.html | ||
patch do | ||
url "https://github.com/openssl/openssl/commit/6281abc796234.diff" | ||
sha256 "f8b94201ac2cd7dcdee3b07fb3cd77a2de6b81ea67da9ae075cf06fb0ba73cea" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In addition, this one has become relevant and should be added: https://github.com/openssl/openssl/commit/e5991ec528b1c339062440811e2641f5ea2b328b.patch There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Upstream explicitly told me not to use this one. Something change?
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, I missed that part. Nevermind! |
||
end | ||
|
||
patch do | ||
url "https://github.com/openssl/openssl/commit/dfd3322d72a2.diff" | ||
sha256 "0602eef6e38368c7b34994deb9b49be1a54037de5e8b814748d55882bfba4eac" | ||
end | ||
|
||
def arch_args | ||
|
@@ -37,13 +45,13 @@ def arch_args | |
end | ||
|
||
def configure_args; %W[ | ||
--prefix=#{prefix} | ||
--openssldir=#{openssldir} | ||
no-ssl2 | ||
zlib-dynamic | ||
shared | ||
enable-cms | ||
] | ||
--prefix=#{prefix} | ||
--openssldir=#{openssldir} | ||
no-ssl2 | ||
zlib-dynamic | ||
shared | ||
enable-cms | ||
] | ||
end | ||
|
||
def install | ||
|
@@ -120,10 +128,8 @@ def post_install | |
openssldir.mkpath | ||
(openssldir/"cert.pem").atomic_write `security find-certificate -a -p #{keychains.join(" ")}` | ||
|
||
if MacOS.version == :yosemite | ||
(openssldir/"certs").install resource("Equifax_CA") | ||
system bin/"c_rehash" | ||
end | ||
# Remove this once 1.0.2b lands. | ||
rm_f openssldir/"certs/Equifax_CA" if MacOS.version == :yosemite | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. c_rehash generates a copy of the cert, doesn't it? Do we need to remove that as well? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It generates a symlink rather than a copy. If you kill the actual cert, the symlink becomes ineffective. If the symlink is named There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The file was named |
||
end | ||
|
||
def caveats; <<-EOS.undent | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit pick: If you use .patch, github will return a
git am
'able format that applies cleanly with patch (as used by brew) and is self-explanatory. Not sure what brew's policy on this is.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't use
.patch
because thegit
version is appended and it can break if upgraded or something like that. @MikeMcQuaid explains it better/clearer/more accurately/more eloquently than I do.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What @DomT4 said.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😸