Skip to content

global SSL configuration inheritance and SSL_CERT_FILE environment variable#576

Merged
oliverkurth merged 4 commits into
devfrom
topic/okurth/global-ssl-settings
May 26, 2026
Merged

global SSL configuration inheritance and SSL_CERT_FILE environment variable#576
oliverkurth merged 4 commits into
devfrom
topic/okurth/global-ssl-settings

Conversation

@oliverkurth
Copy link
Copy Markdown
Contributor

@oliverkurth oliverkurth commented May 22, 2026

Summary

This PR introduces global SSL configuration inheritance and SSL_CERT_FILE environment variable support to tdnf, ensuring that SSL settings follow a canonical precedence hierarchy.

Previously, sslcacert had to be explicitly defined in every single .repo file, which was problematic for transparent MITM proxies. Additionally, tdnf did not respect the standard SSL_CERT_FILE environment variable.

Changes Made

  • Global SSL Configuration: Added support for parsing sslcacert, sslclientcert, and sslclientkey in the [main] section of tdnf.conf. These settings are now inherited by all repositories unless explicitly overridden.
  • Environment Variable Support: Added support for the SSL_CERT_FILE environment variable to override configuration files.
  • Canonical Precedence Hierarchy: Enforced the standard configuration precedence (from highest to lowest priority):
    1. Command-line arguments (--setopt=sslcacert=... or --setopt=repoid.sslcacert=...)
    2. Environment variable (SSL_CERT_FILE)
    3. Per-repository configuration (.repo files)
    4. Global configuration (tdnf.conf)
  • Memory Leak Fix: Fixed a pre-existing memory leak where pszSnapshotUrl and pszSnapshotFile were not being freed when destroying repository data structures. Consolidated TDNFFreeReposInternal and TDNFFreeRepos to prevent future drift.
  • Test Suite Updates: Added a new pytest module (test_ssl_config.py) that spins up a local HTTPS server with self-signed certificates to verify the new inheritance and precedence logic. Updated TestUtils.run() in conftest.py to accept custom environment variables for testing.

@oliverkurth
make sslcacert, sslclientkey, sslclientcert gloabl settings
1e0c429 
Signed-off-by: Oliver Kurth <oliver.kurth@broadcom.com>
@oliverkurth
remove redundant TDNFFreeReposInternal()
b8ed2aa 
Signed-off-by: Oliver Kurth <oliver.kurth@broadcom.com>
@oliverkurth
use SSL_CERT_FILE environment variable
aaa2b2f 
Signed-off-by: Oliver Kurth <oliver.kurth@broadcom.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems May 22, 2026
View reviewed changes
Comment thread pytests/tests/test_ssl_config.py Fixed
@oliverkurth
add a test for sslcacert settings and SSL_CERT_FILE
700dddf 
Signed-off-by: Oliver Kurth <oliver.kurth@broadcom.com>
@oliverkurth oliverkurth force-pushed the topic/okurth/global-ssl-settings branch from 85ffca4 to 700dddf Compare May 22, 2026 18:18
@oliverkurth oliverkurth requested a review from sshedi May 22, 2026 20:07
sshedi
sshedi approved these changes May 23, 2026
View reviewed changes
Comment thread ci/prep.sh
@oliverkurth oliverkurth merged commit 0d8943d into dev May 26, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

@sshedi sshedi sshedi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oliverkurth @sshedi @github-advanced-security