Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)
On Tue, Nov 21, 2017 at 10:21 AM, Patrick Ohlywrote: > On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote: >> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly > > wrote: >> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote: >> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 >> > open >> > about some aspect of this, but it doesn't actually address the >> > underlying question about what the right behavior should be. It's >> > based >> > on the assumption that libcurl-native should always use ca- >> > certificates-native. >> > >> > Thoughts anyone? >> >> I agree it should use ca-certificates-native for all native; it >> allows for self-signed internal certificates to be added for internal >> development. > > But that's not what bitbake itself uses. Are you saying that bitbake > fetchers etc. should also use whatever certificates are configured for > ca-certificates-native? That leads to a chicken-and-egg problem. > > A solution where custom certificates need to be configured in two > different places (system for bitbake, ca-certificates-native for some > other tools) sounds sub-optimal to me. I know and we could override it to a place. We ended doing it ourselves: https://github.com/updatehub/meta-updatehub/commit/e9c34faddb6a59d560147798b37ac6a0e3fa57bf but this is not generic. -- Otavio Salvador O.S. Systems http://www.ossystems.com.brhttp://code.ossystems.com.br Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)
On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote: > On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly> wrote: > > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote: > > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 > > open > > about some aspect of this, but it doesn't actually address the > > underlying question about what the right behavior should be. It's > > based > > on the assumption that libcurl-native should always use ca- > > certificates-native. > > > > Thoughts anyone? > > I agree it should use ca-certificates-native for all native; it > allows for self-signed internal certificates to be added for internal > development. But that's not what bitbake itself uses. Are you saying that bitbake fetchers etc. should also use whatever certificates are configured for ca-certificates-native? That leads to a chicken-and-egg problem. A solution where custom certificates need to be configured in two different places (system for bitbake, ca-certificates-native for some other tools) sounds sub-optimal to me. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)
On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohlywrote: > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote: > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open > about some aspect of this, but it doesn't actually address the > underlying question about what the right behavior should be. It's based > on the assumption that libcurl-native should always use ca- > certificates-native. > > Thoughts anyone? I agree it should use ca-certificates-native for all native; it allows for self-signed internal certificates to be added for internal development. -- Otavio Salvador O.S. Systems http://www.ossystems.com.brhttp://code.ossystems.com.br Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)
On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote: > Native libcurl looks for CA certs in the wrong place by > default. > * Add patch that allows overriding the default CA certificate > location. Patch is originally from meta-security-isafw. > * Use the new --cacert to set the correct CA bundle path > > Signed-off-by: Jussi Kukkonen> --- > .../cve-check-tool/cve-check-tool_5.6.4.bb | 4 +- > ...ow-overriding-default-CA-certificate-file.patch | 215 > + > 2 files changed, 218 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001- > curl-allow-overriding-default-CA-certificate-file.patch > > diff --git a/meta/recipes-devtools/cve-check-tool/cve-check- > tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check- > tool_5.6.4.bb > index c78af67..fcd3182 100644 > --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3 > c34974bc0be3a03ed6" > SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v > ${PV}/${BP}.tar.xz \ > file://check-for-malloc_trim-before-using-it.patch \ > file://0001-print-progress-in-percent-when-downloading- > CVE-db.patch \ > + file://0001-curl-allow-overriding-default-CA-certificate- > file.patch \ > " > > SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" > @@ -39,7 +40,8 @@ do_populate_cve_db() { > [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" > > bbdebug 2 "Updating cve-check-tool database located in $cve_dir" > -if cve-check-update -d "$cve_dir" ; then > +# --cacert works around curl-native not finding the CA bundle > +if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca- > certificates.crt -d "$cve_dir" ; then I went back to this patch to see how the problem was solved, because I am facing it again elsewhere. Now that I think about it again, I'm starting to wonder which SSL certificates the native tools really should trust. Tools like Python or wget are taken from the host, which means they use the host defaults for SSL. That native tools built with bitbake then try to use ca-certificates-native looks inconsistent to me. There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open about some aspect of this, but it doesn't actually address the underlying question about what the right behavior should be. It's based on the assumption that libcurl-native should always use ca- certificates-native. Thoughts anyone? -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core