"Kyle J. McKay" <mack...@gmail.com> writes:

> On my OS X platform depending on which version of OpenSSL I'm using,
> the OPENSSLDIR path would be one of these:
>   /System/Library/OpenSSL
>   /opt/local/etc/openssl
> And neither of those uses a "certs" directory, they both use a
> "cert.pem" bundle instead:
>   $ ls -l /System/Library/OpenSSL
>   total 32
>   lrwxrwxrwx  1 root  wheel    42 cert.pem -> ../../../usr/share/curl/
> curl-ca-bundle.crt
>   drwxr-xr-x  2 root  wheel    68 certs
>   drwxr-xr-x  8 root  wheel   272 misc
>   -rw-r--r--  1 root  wheel  9381 openssl.cnf
>   drwxr-xr-x  2 root  wheel    68 private
>   # the certs directory is empty
>   $ ls -l /opt/local/etc/openssl
>   total 32
>   lrwxrwxrwx   1 root  admin    35 cert.pem@ -> ../../share/curl/curl-
> ca-bundle.crt
>   drwxr-xr-x   9 root  admin   306 misc/
>   -rw-r--r--   1 root  admin 10835 openssl.cnf
> Notice neither of those refers to /etc/ssl/certs at all.
> So the short answer is, yes, hard-coding /etc/ssl/certs as the path on
> OS X is incorrect and if setting /etc/ssl/certs as the path has the
> effect of replacing the default locations the verification will fail.

The current code says "if nothing is specified, let's pretend
/etc/ssl/certs was specified.  Then if it is a directory, use it
with SSL_ca_path, if it is a file, use it with SSL_ca_file, if it
does not exist, do not even attempt verification."

And that "let's pretend" breaks Fedora, where "/etc/ssl/certs" is a
directory but is not meant to be used with SSL_ca_path---we try to
use /etc/ssl/certs with SSL_ca_path and verification fails miserably.

If I am reading the code correctly, if /etc/ssl/certs does not exist
on the filesystem at all, it wouldn't even attempt verification, so
I take your "the verification will fail" to mean that you forgot to
also mention "And on OS X, /etc/ssl/certs directory still exists,
even though OpenSSL does not use it."  If that is the case, then our
current code indeed is broken in exactly the same way for OS X as
for Fedora.

The proposed change in this thread would stop the defaulting
altogether, and still ask verification to the library using its own
default, so I can see how that would make the setting you described
used on OS X work properly.

In short, I agree with you on both counts (the current code is wrong
for OS X, and the proposed change will fix it).  I just want to make
sure that my understanding of the current breakage is in line with
the reality ;-)


To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to