[cc’ing Daniel as OpenSSL maintainer]
> On 4 Jan 2017, at 12:47 pm, Hanspeter Niederstrasser <[email protected]>
> wrote:
>
> On 1/2/17 9:19 AM, Derek Homeier wrote:
>> Hi,
>>
>> I want to check if I am doing something very stupid here, since I am unable
>> to properly
>> use any apps linking to openssl100-shlibs (among others wget and python)
>> since approximately
>> the update to openssl-1.0.2, as it refuses to accept almost any host
>> certificate:
>>
>> ariel:15579> curl -O https://www.openssl.org/source/openssl-1.0.2j.tar.gz
>> % Total % Received % Xferd Average Speed Time Time Time Current
>> Dload Upload Total Spent Left Speed
>> 100 5183k 100 5183k 0 0 985k 0 0:00:05 0:00:05 --:--:--
>> 1266k
>> ariel:15580> wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
>> --2017-01-02 15:03:01-- https://www.openssl.org/source/openssl-1.0.2j.tar.gz
>> Resolving www.openssl.org... 2600:1406:1a:38f::c1e, 2600:1406:1a:38e::c1e,
>> 104.91.180.27
>> Connecting to www.openssl.org|2600:1406:1a:38f::c1e|:443... connected.
>> ERROR: cannot verify www.openssl.org's certificate, issued by ‘CN=Let's
>> Encrypt Authority X3,O=Let's Encrypt,C=US’:
>> Unable to locally verify the issuer's authority.
>> To connect to www.openssl.org insecurely, use `--no-check-certificate'.
>
> according to 'fink info wget', you have to edit .wgetrc so that wget knows
> about the ca-bundle certificates.
>
> 1. Install the 'ca-bundle' package.
> 2. If you don't currently have $HOME/.wgetrc, generate it via
> .
> cp /sw/etc/wgetrc $HOME/.wgetrc
> .
> 3. Edit $HOME/.wgetrc with your favorite text editor and add the
> following line to it:
> .
> ca_certificate = /sw/etc/ssl/certs/ca-bundle.crt
>
> I can confirm that wget fails here similarly to you before the edit, and
> downloads find after the change.
>
Thanks for the info and sorry for not reading the docs myself; this does work -
also with /etc/ssl/cert.pem.
I was actually hoping for a solution that would work for openssl100-shlibs
linked programs in general,
since Python’s urllib failures were bothering me more.
I had found some suggestions for fixing the problem with ruby, but nothing
really useful for Python.
However Pythons ssl module itself provided the following information:
>>> import ssl
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath='/sw/etc/ssl/certs',
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/sw/etc/ssl/cert.pem',
openssl_capath_env='SSL_CERT_DIR', openssl_capath='/sw/etc/ssl/certs’)
And indeed, copying the system cert.pem to /sw/etc/ssl fixed the problem (could
have sworn I had already tried that),
or alternatively setting
SSL_CERT_FILE=/etc/ssl/cert.pem in the program environment.
It doesn’t seem there is an option to configure a different default
openssl_cafile when building openssl with
--openssldir=%p/etc/ssl or if copying or linking the system file into
%p/etc/ssl is an option, or as a last resort
having the ca-bundle package install an additional copy of ca-bundle.crt as
%p/etc/ssl/cert.pem.
I suggest in any case to add the info about the SSL_CERT_FILE environment
variable to the DescDetail.
Thanks,
Derek
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fink-devel mailing list
[email protected]
List archive:
https://sourceforge.net/p/fink/mailman/fink-devel
Subscription management:
https://lists.sourceforge.net/lists/listinfo/fink-devel
