On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote: > Native libcurl looks for CA certs in the wrong place by > default. > * Add patch that allows overriding the default CA certificate > location. Patch is originally from meta-security-isafw. > * Use the new --cacert to set the correct CA bundle path > > Signed-off-by: Jussi Kukkonen <[email protected]> > --- > .../cve-check-tool/cve-check-tool_5.6.4.bb | 4 +- > ...ow-overriding-default-CA-certificate-file.patch | 215 > +++++++++++++++++++++ > 2 files changed, 218 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001- > curl-allow-overriding-default-CA-certificate-file.patch > > diff --git a/meta/recipes-devtools/cve-check-tool/cve-check- > tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check- > tool_5.6.4.bb > index c78af67..fcd3182 100644 > --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3 > c34974bc0be3a03ed6" > SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v > ${PV}/${BP}.tar.xz \ > file://check-for-malloc_trim-before-using-it.patch \ > file://0001-print-progress-in-percent-when-downloading- > CVE-db.patch \ > + file://0001-curl-allow-overriding-default-CA-certificate- > file.patch \ > " > > SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" > @@ -39,7 +40,8 @@ do_populate_cve_db() { > [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" > > bbdebug 2 "Updating cve-check-tool database located in $cve_dir" > - if cve-check-update -d "$cve_dir" ; then > + # --cacert works around curl-native not finding the CA bundle > + if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca- > certificates.crt -d "$cve_dir" ; then
I went back to this patch to see how the problem was solved, because I am facing it again elsewhere. Now that I think about it again, I'm starting to wonder which SSL certificates the native tools really should trust. Tools like Python or wget are taken from the host, which means they use the host defaults for SSL. That native tools built with bitbake then try to use ca-certificates-native looks inconsistent to me. There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open about some aspect of this, but it doesn't actually address the underlying question about what the right behavior should be. It's based on the assumption that libcurl-native should always use ca- certificates-native. Thoughts anyone? -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
