Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no way to use /etc/ssl/certs system trust directory with GnuTLS #330

Closed
dangowrt opened this issue Jun 29, 2015 · 5 comments
Closed

no way to use /etc/ssl/certs system trust directory with GnuTLS #330

dangowrt opened this issue Jun 29, 2015 · 5 comments
Labels
TLS

Comments

@dangowrt
Copy link

When building with GnuTLS, curl doesn't utilize GnuTLS' system trust nor does it support to use a CA path at build time 1 nor at run-time, though defined at least for recent versions of GnuTLS in 2.
This is odd, as it leaves users of distributions not shipping a certificate bundle (which could be used using --cacert) but only come with a bunch of files in /etc/ssl/certs/ without any option to get working TLS with curl and GnuTLS out-of-the-box.
@dangowrt dangowrt mentioned this issue Jun 29, 2015
Closed
@ghedo
Copy link
Contributor

ghedo commented Jun 29, 2015

nor does it support to use a CA path at build time 1 nor at run-time

This is just not true. You can use the --with-ca-path=/etc/ssl/certs configure option at build time and the CURLOPT_CAPATH option at runtime to set the CA path. I should know, since I wrote the code to support this. In fact the official Debian packages do set --with-ca-path with the GnuTLS flavour at build time just fine.

@ghedo
Copy link
Contributor

ghedo commented Jun 29, 2015

though defined at least for recent versions of GnuTLS in 2

Although yes, it does require GnuTLS 3.3.6 or later (your patch also requires at least GnuTLS 3.0.10)

@ghedo
Copy link
Contributor

ghedo commented Jun 29, 2015

at least GnuTLS 3.0.10

Sorry, I meant 3.0.20.

dangowrt added a commit to openwrt/packages that referenced this issue Jun 29, 2015
@dangowrt
gnurl: fall-back on default system trust store
9ea72dd 
If no explicit CA file is given, gnurl fails to setup HTTPS connections
as it doesn't looks for certificates in /etc/ssl/certs/ in any way.
Fix that by utilizing GnuTLS' gnutls_certificate_set_x509_system_trust
as a fall-back if neither CA file, CA path nor SRP is declared.

Reported upstream: curl/curl#330
Fix suggested upstream: curl/curl#331

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
@dangowrt
Copy link
Author

I see, that was by commit 5a1614c which is quite recent. I'll see if cherry-picking that instead also solves the issue.

@dangowrt
Copy link
Author

I added GnuTLS version check and updated the pull-request, see https://github.com/dangowrt/curl/commit/03dcd3c085b4c22c5788fab345f6acd68d3b64d0
Using --with-ca-path indeed works after 5a1614c on recent-enough GnuTLS.

@jay jay added the TLS label Jul 2, 2015
@bagder bagder closed this as completed Sep 13, 2015
@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ghedo @bagder @jay @dangowrt