Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cURL 8.10.0 --with-ca-bundle not work #14879

Closed
rampageX opened this issue Sep 12, 2024 · 9 comments
Closed

cURL 8.10.0 --with-ca-bundle not work #14879

rampageX opened this issue Sep 12, 2024 · 9 comments

Comments

@rampageX
Copy link

I did this

I cross compile cURL 8.10.0 on alpine for armv5 device, configuire:

    CC=${host}-gcc CXX=${host}-g++ CPPFLAGS="${CPPFLAGS}" LDFLAGS="${LDFLAGS}" \
    LDFLAGS="--static -static -Wl,--no-as-needed -L${lib_dir}" LIBS="-lpthread" \
    LD_LIBRARY_PATH="-L${lib_dir}" PKG_CONFIG_PATH="${lib_dir}/pkgconfig" \
    ./configure \
    --build="x86_64-alpine-linux-musl" \
    --host="${host}" \
    --target="${host}" \
    --prefix="${install_dir}" \
    --enable-static --disable-shared \
    --with-openssl "${with_openssl_quic}" --with-brotli --with-zstd \
    --with-nghttp2 --with-nghttp3 \
    --with-libidn2 --with-libssh2 \
    --enable-hsts --enable-mime --enable-cookies \
    --enable-http-auth --enable-manual \
    --enable-proxy --enable-file --enable-http \
    --enable-ftp --enable-telnet --enable-tftp \
    --enable-pop3 --enable-imap --enable-smtp \
    --enable-gopher --enable-mqtt \
    --enable-doh --enable-dateparse --enable-verbose \
    --enable-alt-svc --enable-websockets \
    --enable-ipv6 --enable-unix-sockets --enable-socketpair \
    --enable-headers-api --enable-versioned-symbols \
    --enable-threaded-resolver --enable-optimize --enable-pthreads \
    --enable-warnings --enable-werror \
    --enable-curldebug --enable-dict --enable-netrc \
    --enable-bearer-auth --enable-tls-srp --enable-dnsshuffle \
    --enable-get-easy-options --enable-progress-meter \
    --enable-ares --disable-ldap --disable-ldaps \
    --with-ca-embed=/root/src/curl-ca-bundle.crt \
    --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
    --with-ca-path=/etc/ssl/certs \
    --with-ca-fallback

I got the result:

/tmp/curl -V
curl 8.10.0 (arm-unknown-linux-musleabi) libcurl/8.10.0 quictls/3.1.5 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.32.3 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.1 ngtcp2/1.6.0 nghttp3/1.4.0
Release-Date: 2024-09-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli CAcert HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets zstd

But when i run /tmp/curl --dump-ca-embed, nothing output, and failed to connect https site:

/tmp/curl -Iv https://www.msn.com
Note: Using embedded CA bundle (0 bytes)
Note: Using embedded CA bundle, for proxies (0 bytes)
* Host www.msn.com:443 was resolved.
* IPv6: (none)
* IPv4: 204.79.197.203
*   Trying 204.79.197.203:443...
* Connected to www.msn.com () port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error importing CA certificate blob
* error importing CA certificate blob
* closing connection #0
curl: (77) error importing CA certificate blob

I expected the following

cURL should success use embedded CA.

curl/libcurl version

curl 8.10.0 (arm-unknown-linux-musleabi) libcurl/8.10.0 quictls/3.1.5 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.32.3 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.1 ngtcp2/1.6.0 nghttp3/1.4.0
Release-Date: 2024-09-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli CAcert HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets zstd

operating system

Linux rt-ac5300 2.6.36.4brcmarm #8 SMP PREEMPT Thu Aug 1 21:48:58 CEST 2024 armv7l GNU/Linux

@vszakats
Copy link
Member

vszakats commented Sep 12, 2024

I could not replicate this locally. It seems the bundle was embedded, but with no content. In theory this can happen if /root/src/curl-ca-bundle.crt is present but not readable (edit: or empty).

What is the content of your <builddir>/src/tool_ca_embed.c?

@bagder
Copy link
Member

bagder commented Sep 12, 2024

I can reproduce. (Or at least I could once)

The src/Makefile.am sets up the rule $(CA_EMBED_CSOURCE): $(MK_FILE_EMBED), which rebuilds the source file only if the CA cert file is newer than the source file. This is of course not necessary if we just point to an old CA cert file made from before we unpacked the curl tarball.

Also: we might want to rerun the command if the generator script is updated.

@bagder
Copy link
Member

bagder commented Sep 12, 2024

Hm no that seems like the wrong analysis. But I did get an empty src/tool_ca_embed.c on first invoke...

@vszakats
Copy link
Member

Ah, right. I still can't reproduce to rebuild the interim C file with empty content. Would this fix it though?:

--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -140,7 +140,7 @@ CLEANFILES += $(CA_EMBED_CSOURCE)
 if CURL_CA_EMBED_SET
 AM_CPPFLAGS += -DCURL_CA_EMBED
 MK_FILE_EMBED = $(top_srcdir)/src/mk-file-embed.pl
-$(CA_EMBED_CSOURCE): $(MK_FILE_EMBED)
+$(CA_EMBED_CSOURCE): $(MK_FILE_EMBED) $(CURL_CA_EMBED)
 	$(PERL) $(MK_FILE_EMBED) --var curl_ca_embed < $(CURL_CA_EMBED) > $(CA_EMBED_CSOURCE)
 else
 $(CA_EMBED_CSOURCE):

@bagder
Copy link
Member

bagder commented Sep 12, 2024

It looks like a correct fix nonetheless

@vszakats
Copy link
Member

vszakats commented Sep 12, 2024

OK, managed to repro in an empty dir with the distro tarball. The distro tarball comes with a pre-generated empty interim C file, which prevents generating it again (on conditions).

This fixes it (for me, tested with an out-of-tree build, edit: in-tree works too), but I wonder how to tell autotools to not distribute that file?:

--- a/acinclude.m4
+++ b/acinclude.m4
@@ -1360,7 +1360,7 @@ AS_HELP_STRING([--without-ca-embed], [Don't embed a default CA bundle]),
 
   CURL_CA_EMBED=''
   if test "x$want_ca_embed" != "xno" -a "x$want_ca_embed" != "xunset" -a -f "$want_ca_embed"; then
-    CURL_CA_EMBED='"'$want_ca_embed'"'
+    CURL_CA_EMBED="$want_ca_embed"
     AC_SUBST(CURL_CA_EMBED)
     AC_MSG_RESULT([$want_ca_embed])
   else
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -140,7 +140,7 @@ CLEANFILES += $(CA_EMBED_CSOURCE)
 if CURL_CA_EMBED_SET
 AM_CPPFLAGS += -DCURL_CA_EMBED
 MK_FILE_EMBED = $(top_srcdir)/src/mk-file-embed.pl
-$(CA_EMBED_CSOURCE): $(MK_FILE_EMBED)
+$(CA_EMBED_CSOURCE): $(MK_FILE_EMBED) $(CURL_CA_EMBED)
 	$(PERL) $(MK_FILE_EMBED) --var curl_ca_embed < $(CURL_CA_EMBED) > $(CA_EMBED_CSOURCE)
 else
 $(CA_EMBED_CSOURCE):

@bagder
Copy link
Member

bagder commented Sep 12, 2024

how to tell autotools to not distribute that file?

I think we can at least do it like this:

diff --git a/src/Makefile.am b/src/Makefile.am
index c1c223b26..be1ec225e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -172,5 +172,8 @@ listhelp:
 
 if HAVE_WINDRES
 .rc.o:
        $(RC) -I$(top_srcdir)/include -DCURL_EMBED_MANIFEST $(RCFLAGS) -i $< -o $@
 endif
+
+dist-hook:
+       rm -f $(distdir)/$(CA_EMBED_CSOURCE)

vszakats added a commit to vszakats/curl that referenced this issue Sep 12, 2024
Add missing rule dependency on the user-specified CA bundle. This fixes
including it when using the curl distro tarball, and other cases.

Also fix the internal name of the CA bundle to avoid nested quotes. It
broke the rule dependency for the make tool.

Reported-by: rampageX on github
Fixes curl#14879
@vszakats
Copy link
Member

vszakats commented Sep 12, 2024

Meanwhile the stop-gap workaround is to rm src/tool_ca_embed.c.

edit: corrected filename.

@vszakats vszakats changed the title cURL 8.10.0 -with-ca-bundle not work cURL 8.10.0 --with-ca-bundle not work Sep 12, 2024
@rampageX
Copy link
Author

Meanwhile the stop-gap workaround is to rm src/tool-ca-embed.c.

rm src/tool_ca_embed.c worked, is '_' not '-'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants