Added Bruno Thomsen to Cc. He had some patches about this as well. On Thu, Apr 09, 2015 at 10:05:55AM +0000, Rüdiger, Christoph wrote: > > On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote: > > > [PATCH] libcurl: Added an option set to compile libcurl with optional > > > builtin CA certificate default directory or builtin CA certificate > > > default bundle file. > > > > > > Signed-off-by: Christoph Ruediger > > > <christoph.ruedi...@thyssenkrupp.com> > > > --- > > > rules/libcurl.in | 27 +++++++++++++++++++++++++++ > > > rules/libcurl.make | 21 ++++++++++++++++++--- > > > 2 files changed, 45 insertions(+), 3 deletions(-) > > > > > > diff --git a/rules/libcurl.in b/rules/libcurl.in index > > > 0ad7fb4..bdb0ad5 100644 > > > --- a/rules/libcurl.in > > > +++ b/rules/libcurl.in > > > @@ -41,6 +41,33 @@ config LIBCURL_FILE config LIBCURL_SSL > > > bool "ssl" > > > > > > +if LIBCURL_SSL > > > + > > > +choice > > > + prompt "Central CA certificate storage" > > > + > > > + config LIBCURL_SSL_NOCA > > > + bool "No CA storage" > > > + > > > + config LIBCURL_SSL_CAPATH > > > + bool "CA directory" > > > + > > > + config LIBCURL_SSL_CABUNDLE > > > + bool "CA bundle" > > > +endchoice > > > + > > > +config LIBCURL_SSL_CAPATH_PATH > > > + string "CA directory path" > > > + depends on LIBCURL_SSL_CAPATH > > > + default "/etc/ssl/certs" > > > + > > > +config LIBCURL_SSL_CABUNDLE_PATH > > > + string "CA bundle path" > > > + depends on LIBCURL_SSL_CABUNDLE > > > + default "/etc/ssl/certs/ca-certificates.crt" > > > > Any reason, why these paths should be configurable? > > /etc/ssl/certs seems to be the most common path to store certificates in. > However, we maintain RedHat servers here which use different paths by > default. That's the reason why I made it configurable.
Ok. > > And we need a package that provides those files, right? > > In my opinion, such a package is nothing for the general ptxdist. It is > highly project depending, at least in our company. We do not deploy a set of > default CAs like you have it in the general purpose desktop or server > distributions. For us it is very rare to have two projects with the same set > of CA certificates. > Even if we add a certificates package, this should be more related to the > openssl package itself than to the openssl user packages like curl. > > Curl runs fine even if the default path (CA path or CA bundle) does not > exist. It is just not finding proper certificates to validate SSL/TLS > connections. This is the same behavior as today, where curl is configured to > not look anywhere for matching certificates. To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right? Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you? Michael -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de