upgrade mbedtls to 2.5. curl to 7.54.1

[tkelman]

New versions of MPFR, mbedtls, libssh2, and libgit2. Several patches are now included upstream in the latter 3 cases. This is failing on startup somewhere in libgit2, hence the WIP. We're also expecting a new curl version with several security fixes next week, ref https://curl.haxx.se/mail/lib-2016-10/0076.html. If I can sort out the libgit2 issue before then I'll add that here, if not I'll do it on its own once it's available. edit: curl and mpfr done in #19216

edit2: closes #19457

[tkelman]

Alright, looks as though the libgit2 initialization error was caused by upgrading mbedtls, so there may have been an API change that we need to take into account somewhere. If anyone has any breadcrumbs to share about debugging advice from, say, the certificate-related issues we had recently with mbedtls, would be appreciated.

[tkelman]

moved everything other than mbedtls to #19216, since the others all seem to work.

[tkelman]

I could really use a hand from some libgit2-familiar folks in debugging the initialization error here.

[iamed2]

@omus Could this be the issue we ran into before?

[omus]

It does look like #20439. I guess it is time to fix that...

[omus]

I looked into this and found that when we load the default certificate chain on linux the mbedTLS function mbedtls_x509_crt_parse_file is returning the value 1. This value is referring to the number of failed certificates encountered and implies a partial success.

I'm unsure what mbedTLS change has resulted the following certificate in being deemed invalid:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
    Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug  1 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
                    db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
                    11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
                    1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
                    63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
                    42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
                    5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
                    e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
                    71:64:4c:65:2e:81:68:45:a7
                Exponent: 65537 (0x10001)
    Signature Algorithm: md2WithRSAEncryption
         bb:4c:12:2b:cf:2c:26:00:4f:14:13:dd:a6:fb:fc:0a:11:84:
         8c:f3:28:1c:67:92:2f:7c:b6:c5:fa:df:f0:e8:95:bc:1d:8f:
         6c:2c:a8:51:cc:73:d8:a4:c0:53:f0:4e:d6:26:c0:76:01:57:
         81:92:5e:21:f1:d1:b1:ff:e7:d0:21:58:cd:69:17:e3:44:1c:
         9c:19:44:39:89:5c:dc:9c:00:0f:56:8d:02:99:ed:a2:90:45:
         4c:e4:bb:10:a4:3d:f0:32:03:0e:f1:ce:f8:e8:c9:51:8c:e6:
         62:9f:e6:9f:c0:7d:b7:72:9c:c9:36:3a:6b:9f:4e:a8:ff:64:
         0d:64

Going forward I think we should:

1. Report better error messages when mbedTLS initialization fails. Currently there are four separate errors that can occur which are all currently reported as ""error initializing LibGit2 module". (done)
2. Allow partial successes. I believe this would solve SSL_CERT_DIR can cause LibGit2 initialization error #20439 (done)

[tkelman]

So would this need to be addressed within our mbedtls-support patch to libgit2? Since libgit2 0.26.0 is out now, we probably want to rebase that anyway, and take another crack at getting it through upstream review. Latest activity was in libgit2/libgit2#4173.

[tkelman]

looks like we're in business, thanks much @omus!

[tkelman]

Having trouble locally replicating the travis issue.

@jlbuild !nuke

Base.runtests("pkg libgit2 libgit2-online download")

[tkelman]

The problem this was having on Travis has gone away now that it's using trusty. Will merge tomorrow if no objections. Tested it locally on Windows, so shouldn't have any post-merge failures when this makes it into nightlies.