Re: [LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
On Tue, Feb 13, 2018 at 4:28 AM, John Crispin wrote: > > > On 25/01/18 04:29, Rosen Penev wrote: >> >> On Wed, Jan 24, 2018 at 1:56 PM, Hauke Mehrtens wrote: >>> >>> On 01/24/2018 05:28 AM, Rosen Penev wrote: At least one application (transmission) depends on CURL_CA_BUNDLE being set in order to operate properly (Could not connect to tracker errors). As far as I can tell, there's no real drawback to doing this for all TLS libraries supported by curl. >>> >>> Do all of these libraries support --with-ca-bundle ? >>> >> OpenSSL I know does. GnuTLS most likely does as it seems to be geared >> towards desktop systems. > > > Hi, > > "most likely" is not good enough. please compile/runtime test your patches > for all possible combos before posting them. > GnuTLS was tested on mt7621 without any problems so that's all of them. Tested using the curl binary on mt7621. Any chance this can get merged? > John > Signed-off-by: Rosen Penev --- package/network/utils/curl/Makefile | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 17fcf70..930bd10 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ --without-nss \ --without-libmetalink \ --without-librtmp \ + --without-ca-path \ + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ \ $(call autoconf_bool,CONFIG_IPV6,ipv6) \ \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ + $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) \ + $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) \ + $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ + $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) \ \ $(if $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) \ $(if $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) \ >> ___ >> Lede-dev mailing list >> Lede-dev@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/lede-dev > > ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
On Tue, Feb 13, 2018 at 4:28 AM, John Crispin wrote: > > > On 25/01/18 04:29, Rosen Penev wrote: >> >> On Wed, Jan 24, 2018 at 1:56 PM, Hauke Mehrtens wrote: >>> >>> On 01/24/2018 05:28 AM, Rosen Penev wrote: At least one application (transmission) depends on CURL_CA_BUNDLE being set in order to operate properly (Could not connect to tracker errors). As far as I can tell, there's no real drawback to doing this for all TLS libraries supported by curl. >>> >>> Do all of these libraries support --with-ca-bundle ? >>> >> OpenSSL I know does. GnuTLS most likely does as it seems to be geared >> towards desktop systems. > > > Hi, > > "most likely" is not good enough. please compile/runtime test your patches > for all possible combos before posting them. > I've fixed the transmission issue by setting the env parameter to the proper value. Meaning this patch doesn't help in this case. It probably does in others. A quick Google search shows that it does indeed work with GnuTLS. Maybe it didn't with some previous version. > John > Signed-off-by: Rosen Penev --- package/network/utils/curl/Makefile | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 17fcf70..930bd10 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ --without-nss \ --without-libmetalink \ --without-librtmp \ + --without-ca-path \ + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ \ $(call autoconf_bool,CONFIG_IPV6,ipv6) \ \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ + $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) \ + $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) \ + $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ + $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) \ \ $(if $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) \ $(if $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) \ >> ___ >> Lede-dev mailing list >> Lede-dev@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/lede-dev > > ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
On 25/01/18 04:29, Rosen Penev wrote: On Wed, Jan 24, 2018 at 1:56 PM, Hauke Mehrtens wrote: On 01/24/2018 05:28 AM, Rosen Penev wrote: At least one application (transmission) depends on CURL_CA_BUNDLE being set in order to operate properly (Could not connect to tracker errors). As far as I can tell, there's no real drawback to doing this for all TLS libraries supported by curl. Do all of these libraries support --with-ca-bundle ? OpenSSL I know does. GnuTLS most likely does as it seems to be geared towards desktop systems. Hi, "most likely" is not good enough. please compile/runtime test your patches for all possible combos before posting them. John Signed-off-by: Rosen Penev --- package/network/utils/curl/Makefile | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 17fcf70..930bd10 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ --without-nss \ --without-libmetalink \ --without-librtmp \ + --without-ca-path \ + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ \ $(call autoconf_bool,CONFIG_IPV6,ipv6) \ \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ + $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) \ + $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) \ + $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ + $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) \ \ $(if $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) \ $(if $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) \ ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
On Wed, Jan 24, 2018 at 1:56 PM, Hauke Mehrtens wrote: > On 01/24/2018 05:28 AM, Rosen Penev wrote: >> At least one application (transmission) depends on CURL_CA_BUNDLE being >> set in order to operate properly (Could not connect to tracker errors). >> As far as I can tell, there's no real drawback to doing this for all >> TLS libraries supported by curl. > > Do all of these libraries support --with-ca-bundle ? > OpenSSL I know does. GnuTLS most likely does as it seems to be geared towards desktop systems. > >> >> Signed-off-by: Rosen Penev >> --- >> package/network/utils/curl/Makefile | 10 ++ >> 1 file changed, 6 insertions(+), 4 deletions(-) >> >> diff --git a/package/network/utils/curl/Makefile >> b/package/network/utils/curl/Makefile >> index 17fcf70..930bd10 100644 >> --- a/package/network/utils/curl/Makefile >> +++ b/package/network/utils/curl/Makefile >> @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ >> --without-nss \ >> --without-libmetalink \ >> --without-librtmp \ >> + --without-ca-path \ >> + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ >> \ >> $(call autoconf_bool,CONFIG_IPV6,ipv6) \ >> \ >> - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" >> --without-ca-path >> --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ >> - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" >> --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ >> - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" >> --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ >> - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" >> --without-ca-path >> --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ >> + $(if >> $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) >> \ >> + $(if >> $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) >> \ >> + $(if >> $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ >> + $(if >> $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) >> \ >> \ >> $(if >> $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) >> \ >> $(if >> $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) >> \ >> > ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
On 01/24/2018 05:28 AM, Rosen Penev wrote: > At least one application (transmission) depends on CURL_CA_BUNDLE being > set in order to operate properly (Could not connect to tracker errors). > As far as I can tell, there's no real drawback to doing this for all > TLS libraries supported by curl. Do all of these libraries support --with-ca-bundle ? > > Signed-off-by: Rosen Penev > --- > package/network/utils/curl/Makefile | 10 ++ > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/package/network/utils/curl/Makefile > b/package/network/utils/curl/Makefile > index 17fcf70..930bd10 100644 > --- a/package/network/utils/curl/Makefile > +++ b/package/network/utils/curl/Makefile > @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ > --without-nss \ > --without-libmetalink \ > --without-librtmp \ > + --without-ca-path \ > + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ > \ > $(call autoconf_bool,CONFIG_IPV6,ipv6) \ > \ > - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" > --without-ca-path > --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ > - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" > --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ > - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" > --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ > - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" > --without-ca-path > --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ > + $(if > $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) > \ > + $(if > $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) > \ > + $(if > $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ > + $(if > $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) > \ > \ > $(if > $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) > \ > $(if > $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) > \ > ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
How will this play with people with ca-certificates installed rather than ca-bundle? Rosen Penev wrote: > At least one application (transmission) depends on > CURL_CA_BUNDLE being set in order to operate properly (Could > not connect to tracker errors). As far as I can tell, there's > no real drawback to doing this for all TLS libraries supported > by curl. > > Signed-off-by: Rosen Penev > --- > package/network/utils/curl/Makefile | 10 ++ > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/package/network/utils/curl/Makefile > b/package/network/utils/curl/Makefile index 17fcf70..930bd10 > 100644 > --- a/package/network/utils/curl/Makefile > +++ b/package/network/utils/curl/Makefile > @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ > --without-nss \ > --without-libmetalink \ > --without-librtmp \ > + --without-ca-path \ > + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ > \ > $(call autoconf_bool,CONFIG_IPV6,ipv6) \ > \ > - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" > --without-ca-path > --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ > - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" > --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ > - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" > --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ > - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" > --without-ca-path > --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ > + $(if > $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) > \ > + $(if > $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) > \ > + $(if > $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ > + $(if > $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) > \ > \ > $(if > $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) > \ > $(if > $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) > \ > -- > 2.7.4 > > > ___ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev signature.html Description: OpenPGP Digital Signature ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.
At least one application (transmission) depends on CURL_CA_BUNDLE being set in order to operate properly (Could not connect to tracker errors). As far as I can tell, there's no real drawback to doing this for all TLS libraries supported by curl. Signed-off-by: Rosen Penev --- package/network/utils/curl/Makefile | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 17fcf70..930bd10 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \ --without-nss \ --without-libmetalink \ --without-librtmp \ + --without-ca-path \ + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ \ $(call autoconf_bool,CONFIG_IPV6,ipv6) \ \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \ - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr" --without-ca-path --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \ + $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) \ + $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) \ + $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ + $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) \ \ $(if $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) \ $(if $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) \ -- 2.7.4 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev