Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2015-04-03 14:31:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2015-03-01 14:58:07.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.curl.new/curl.changes 2015-04-03 14:32:00.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Mar 24 12:49:35 UTC 2015 - lnus...@suse.de + +- don't hardcode /etc/ssl/certs. Use openssl's default instead + (curl-7.41.0-use-openssl-s-built-in-verify-path-as-fallback.diff) + +------------------------------------------------------------------- New: ---- curl-7.41.0-use-openssl-s-built-in-verify-path-as-fallback.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.mAckb6/_old 2015-04-03 14:32:01.000000000 +0200 +++ /var/tmp/diff_new_pack.mAckb6/_new 2015-04-03 14:32:01.000000000 +0200 @@ -33,6 +33,8 @@ Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch3: curl-secure-getenv.patch +# PATCH-FIX-OPENSUSE lnus...@suse.de -- use openssl's built in verify path as fallback +Patch4: curl-7.41.0-use-openssl-s-built-in-verify-path-as-fallback.diff BuildRequires: krb5-mini-devel BuildRequires: libtool BuildRequires: lzma @@ -94,6 +96,7 @@ %patch0 %patch1 %patch3 +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS @@ -112,7 +115,8 @@ --enable-ipv6 \ %if %{with openssl} --with-ssl \ - --with-ca-path=%{_sysconfdir}/ssl/certs/ \ + --without-ca-path \ + --without-ca-bundle \ %else --without-ssl \ %if %{with mozilla_nss} ++++++ curl-7.41.0-use-openssl-s-built-in-verify-path-as-fallback.diff ++++++ >From 9af60d2d52d9635ba4498d3a42abd85c7c2140db Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Tue, 24 Mar 2015 13:25:17 +0100 Subject: [PATCH] use openssl's built in verify path as fallback Trying to verify a peer without any having any root CA certificates registered won't work. So use openssl's built in default as fallback. https://github.com/bagder/curl/pull/175 --- lib/vtls/openssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 3f93e22..34abd64 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2012,6 +2012,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) "none", data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]: "none"); + } else if (data->set.ssl.verifypeer) { + /* verfying the peer without any CA certificates won't + work so use openssl's built in default as fallback */ + SSL_CTX_set_default_verify_paths(connssl->ctx); } if(data->set.str[STRING_SSL_CRLFILE]) { -- 2.3.3