subject:"\[OE\-core\] native CA cert bundles \(was\: Re\: \[PATCH 3\/3\] cve\-check\-tool\: Use CA cert bundle in correct sysroot\)"

Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

2017-11-21 Thread Otavio Salvador

On Tue, Nov 21, 2017 at 10:21 AM, Patrick Ohly  wrote:
> On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote:
>> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly > > wrote:
>> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
>> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883
>> > open
>> > about some aspect of this, but it doesn't actually address the
>> > underlying question about what the right behavior should be. It's
>> > based
>> > on the assumption that libcurl-native should always use ca-
>> > certificates-native.
>> >
>> > Thoughts anyone?
>>
>> I agree it should use ca-certificates-native for all native; it
>> allows for self-signed internal certificates to be added for internal
>> development.
>
> But that's not what bitbake itself uses. Are you saying that bitbake
> fetchers etc. should also use whatever certificates are configured for
> ca-certificates-native? That leads to a chicken-and-egg problem.
>
> A solution where custom certificates need to be configured in two
> different places (system for bitbake, ca-certificates-native for some
> other tools) sounds sub-optimal to me.

I know and we could override it to a place.

We ended doing it ourselves:
https://github.com/updatehub/meta-updatehub/commit/e9c34faddb6a59d560147798b37ac6a0e3fa57bf

but this is not generic.

-- 
Otavio Salvador O.S. Systems
http://www.ossystems.com.brhttp://code.ossystems.com.br
Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

2017-11-21 Thread Patrick Ohly

On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote:
> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly  > wrote:
> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883
> > open
> > about some aspect of this, but it doesn't actually address the
> > underlying question about what the right behavior should be. It's
> > based
> > on the assumption that libcurl-native should always use ca-
> > certificates-native.
> > 
> > Thoughts anyone?
> 
> I agree it should use ca-certificates-native for all native; it
> allows for self-signed internal certificates to be added for internal
> development.

But that's not what bitbake itself uses. Are you saying that bitbake
fetchers etc. should also use whatever certificates are configured for
ca-certificates-native? That leads to a chicken-and-egg problem.

A solution where custom certificates need to be configured in two
different places (system for bitbake, ca-certificates-native for some
other tools) sounds sub-optimal to me.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

2017-11-21 Thread Otavio Salvador

On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly  wrote:
> On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open
> about some aspect of this, but it doesn't actually address the
> underlying question about what the right behavior should be. It's based
> on the assumption that libcurl-native should always use ca-
> certificates-native.
>
> Thoughts anyone?

I agree it should use ca-certificates-native for all native; it allows
for self-signed internal certificates to be added for internal
development.

-- 
Otavio Salvador O.S. Systems
http://www.ossystems.com.brhttp://code.ossystems.com.br
Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

2017-11-21 Thread Patrick Ohly

On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> Native libcurl looks for CA certs in the wrong place by
> default.
> * Add patch that allows overriding the default CA certificate
>   location. Patch is originally from meta-security-isafw.
> * Use the new --cacert to set the correct CA bundle path
> 
> Signed-off-by: Jussi Kukkonen 
> ---
>  .../cve-check-tool/cve-check-tool_5.6.4.bb |   4 +-
>  ...ow-overriding-default-CA-certificate-file.patch | 215
> +
>  2 files changed, 218 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-
> curl-allow-overriding-default-CA-certificate-file.patch
> 
> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-
> tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-
> tool_5.6.4.bb
> index c78af67..fcd3182 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3
> c34974bc0be3a03ed6"
>  SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v
> ${PV}/${BP}.tar.xz \
> file://check-for-malloc_trim-before-using-it.patch \
> file://0001-print-progress-in-percent-when-downloading-
> CVE-db.patch \
> +   file://0001-curl-allow-overriding-default-CA-certificate-
> file.patch \
>    "
>  
>  SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> @@ -39,7 +40,8 @@ do_populate_cve_db() {
>  [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
>  
>  bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
> -if cve-check-update -d "$cve_dir" ; then
> +# --cacert works around curl-native not finding the CA bundle
> +if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-
> certificates.crt -d "$cve_dir" ; then

I went back to this patch to see how the problem was solved, because I
am facing it again elsewhere. Now that I think about it again, I'm
starting to wonder which SSL certificates the native tools really
should trust. Tools like Python or  wget are taken from the host, which
means they use the host defaults for SSL. That native tools built with
bitbake then try to use ca-certificates-native looks inconsistent to
me.

There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open
about some aspect of this, but it doesn't actually address the
underlying question about what the right behavior should be. It's based
on the assumption that libcurl-native should always use ca-
certificates-native.

Thoughts anyone?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

[OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

4 matches

Site Navigation

Mail list logo

Footer information