From: Moritz Haase <[email protected]> Fixes YOCTO #16077
Commit 4909a46e broke HTTPS downloads in opkg in the SDK, they now fail with: > SSL certificate problem: self-signed certificate in certificate chain The root cause is a difference in the handling of related env vars between curl-cli and libcurl. The CLI will honour CURL_CA_BUNDLE and SSL_CERT_DIR|FILE (see [0]). Those are set in the SDK via env setup scripts like [1], so curl continued to work. The library however does not handle those env vars. Thus, unless the program utilizing libcurl has implemented a similar mechanism itself and configures libcurl accordingly via the API (like for example Git in [2] and [3]), there will be no default CA bundle configured to verify certificates against. Opkg only supports setting the CA bundle path via config options 'ssl_ca_file' and 'ssl_ca_path'. Upstreaming and then backporting a patch to add env var support is not a feasible short-time fix for the issue at hand. Instead it's better to ship libcurl in the SDK with a sensible built-in default - which also helps any other libcurl users. This patch is based on a proposal by [email protected] in the related mailing list discussion at [4]. [0]: https://github.com/curl/curl/blob/400fffa90f30c7a2dc762fa33009d24851bd2016/src/tool_operate.c#L2056-L2084 [1]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl/environment.d-curl.sh?id=3a15ca2a784539098e95a3a06dec7c39f23db985 [2]: https://github.com/git/git/blob/6ab38b7e9cc7adafc304f3204616a4debd49c6e9/http.c#L1389 [3]: https://github.com/git/git/blob/6ab38b7e9cc7adafc304f3204616a4debd49c6e9/http.c#L1108-L1109 [4]: https://lists.openembedded.org/g/openembedded-core/topic/115993530#msg226751 Signed-off-by: Moritz Haase <[email protected]> CC: [email protected] CC: [email protected] Signed-off-by: Mathieu Dubois-Briand <[email protected]> Signed-off-by: Richard Purdie <[email protected]> (cherry picked from commit 3f819f57aa1960af36ac0448106d1dce7f38c050) Signed-off-by: Steve Sakoman <[email protected]> --- meta/recipes-support/curl/curl_8.17.0.bb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb index 32585070eb..352f407d28 100644 --- a/meta/recipes-support/curl/curl_8.17.0.bb +++ b/meta/recipes-support/curl/curl_8.17.0.bb @@ -75,16 +75,21 @@ PACKAGECONFIG[websockets] = "--enable-websockets,--disable-websockets" PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd" +# Use host certificates for non-target builds. As libcurl doesn't honor any of the env vars (like +# for example CURL_CA_PATH) that curl-cli does, we need to explicitly set '--with-ca-bundle' +# accordingly, so that there is a working, built-in default even for those tools that use libcurl, +# but don't have custom env var handling implemented (like opkg). +CURL_CA_BUNDLE_BASE_DIR ?= "/etc" +CURL_CA_BUNDLE_BASE_DIR:class-target = "${sysconfdir}" + EXTRA_OECONF = " \ --disable-libcurl-option \ --without-libpsl \ --enable-optimize \ + --with-ca-bundle=${CURL_CA_BUNDLE_BASE_DIR}/ssl/certs/ca-certificates.crt \ ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \ WATT_ROOT=${STAGING_DIR_TARGET}${prefix} \ " -EXTRA_OECONF:append:class-target = " \ - --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ -" fix_absolute_paths () { # cleanup buildpaths from curl-config -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#228272): https://lists.openembedded.org/g/openembedded-core/message/228272 Mute This Topic: https://lists.openembedded.org/mt/116893597/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
