Package: ruby-httpclient
Version: 2.8.3-1
Severity: normal
Dear Maintainer,
ruby-httpclient bundles a copy of the root certificate authorities:
$ dpkg -L ruby-httpclient | grep pem
/usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
/usr/lib/ruby/vendor_ruby/httpclient/cacert1024.pem
...
Thus, the local CAs configured by the local system administrator (by adding
a .crt file in /usr/local/share/ca-certificates/) are ignored, the
explicitly
untrusted CAs are still valid, etc ...
Test (with ca-cacert installed):
$ ruby -rhttpclient -e 'p HTTPClient.get("https://www.cacert.org";)'
...
/usr/lib/ruby/vendor_ruby/httpclient/ssl_socket.rb:103:in `connect':
SSL_connect returned=1 errno=0 state=error: certificate verify failed
(unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
Expected:
$ curl https://www.cacert.org
<!DOCTYPE ...
...
</html>
Please find attached a debdiff to use the system CA bundle instead.
Some comments:
- the file "cacert1024.pem" is not used by the code: removed
- the ca-certificates package is already pulled by rubygems-integration,
but a direct dependency may be better
Thanks.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ruby-httpclient depends on:
ii ruby 1:2.5.1
ii ruby-http-cookie 1.0.2-1
ii ruby2.1 [ruby-interpreter] 2.1.5-4
ii ruby2.2 [ruby-interpreter] 2.2.4-1
ruby-httpclient recommends no packages.
ruby-httpclient suggests no packages.
-- no debconf information
diff -Nru ruby-httpclient-2.8.3/debian/changelog ruby-httpclient-2.8.3/debian/changelog
--- ruby-httpclient-2.8.3/debian/changelog 2017-07-31 16:40:48.000000000 +0200
+++ ruby-httpclient-2.8.3/debian/changelog 2018-10-17 19:30:30.000000000 +0200
@@ -1,3 +1,9 @@
+ruby-httpclient (2.8.3-2) UNRELEASED; urgency=medium
+
+ * Unbundle the root CA list, use the one from ca-certificates
+
+ -- Vincent Tondellier <[email protected]> Wed, 17 Oct 2018 19:30:30 +0200
+
ruby-httpclient (2.8.3-1) unstable; urgency=medium
* Team upload
diff -Nru ruby-httpclient-2.8.3/debian/ruby-httpclient.links ruby-httpclient-2.8.3/debian/ruby-httpclient.links
--- ruby-httpclient-2.8.3/debian/ruby-httpclient.links 1970-01-01 01:00:00.000000000 +0100
+++ ruby-httpclient-2.8.3/debian/ruby-httpclient.links 2018-10-17 13:32:19.000000000 +0200
@@ -0,0 +1 @@
+usr/lib/ssl/certs/ca-certificates.crt usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
diff -Nru ruby-httpclient-2.8.3/debian/rules ruby-httpclient-2.8.3/debian/rules
--- ruby-httpclient-2.8.3/debian/rules 2017-07-31 16:40:48.000000000 +0200
+++ ruby-httpclient-2.8.3/debian/rules 2018-10-17 13:32:13.000000000 +0200
@@ -6,3 +6,8 @@
%:
dh $@ --buildsystem=ruby --with ruby
+
+override_dh_auto_install:
+ dh_auto_install
+ rm -f debian/ruby-httpclient/usr/lib/ruby/vendor_ruby/httpclient/cacert1024.pem
+ rm -f debian/ruby-httpclient/usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
