Configured curl: ---Begin OPTIONS List--- ===> The following configuration options are available for curl-7.71.0: ALTSVC=off: HTTP Alternative Services support BROTLI=off: Brotli compression support CA_BUNDLE=off: Enable CA bundle for OpenSSL/GnuTLS/mbedTLS COOKIES=on: Cookies support CURL_DEBUG=off: cURL debug memory tracking DEBUG=off: Build with debugging support DOCS=on: Build and/or install documentation EXAMPLES=off: Build and/or install examples IDN=off: International Domain Names support IPV6=on: IPv6 protocol support METALINK=off: Metalink support NTLM=off: NTLM authentication support PROXY=on: Proxy support PSL=off: Public Suffix List support TLS_SRP=off: TLS-SRP (Secure Remote Password) support ====> Options available for the group PROTOCOL DICT=off: DICT (RFC 2229) support FTP=off: FTP protocol support GOPHER=off: Gopher protocol support HTTP=on: HTTP/HTTPS support HTTP2=on: HTTP/2 support (requires HTTP) IMAP=off: IMAP/IMAPS support LDAP=off: LDAP protocol support LDAPS=off: LDAP protocol over SSL support LIBSSH2=off: SCP/SFTP support via libssh2 (requires OPENSSL) POP3=off: POP3/POP3S support RTMP=off: RTMP protocol support via librtmp RTSP=off: Real Time Streaming Protocol (RTSP) support SMB=off: SMB/CIFS support SMTP=off: SMTP/SMTPS support TELNET=off: Telnet support TFTP=off: TFTP support ====> GSSAPI Security API support: you have to select exactly one of them GSSAPI_BASE=off: GSSAPI support via base system (needs Kerberos) GSSAPI_HEIMDAL=off: GSSAPI support via security/heimdal GSSAPI_MIT=on: GSSAPI support via security/krb5 GSSAPI_NONE=off: Disable GSSAPI support ====> DNS resolving options: you have to select exactly one of them CARES=off: Asynchronous DNS resolution via c-ares THREADED_RESOLVER=on: Threaded DNS resolver ====> SSL protocol support: you can only select none or one of them GNUTLS=off: SSL/TLS support via GnuTLS NSS=off: SSL/TLS support via NSS OPENSSL=on: SSL/TLS support via OpenSSL WOLFSSL=off: SSL/TLS support via wolfSSL ===> Use 'make config' to modify these settings ---End OPTIONS List--- Because I solely on the system cert store (ssl=base): # openssl version -d OPENSSLDIR: "/etc/ssl" Either OPENSSLDIR/cert.pem or OPENSSLDIR/certs/. This is is only enabled in curl when --with-ca-fallback is enabled. This options is only valid for: > AC_MSG_CHECKING([whether to use builtin CA store of SSL library]) > AC_ARG_WITH(ca-fallback, > AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library]) > AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]), > [ > if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then > AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter]) > fi > ], > [ with_ca_fallback="no"]) > AC_MSG_RESULT([$with_ca_fallback]) > if test "x$with_ca_fallback" = "xyes"; then > if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then > AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS]) > fi > AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ]) > fi OpenSSL and GnuTLS. I would expect: > if CA_BUNDLE=off and SSL_BACKEND in (openssl, gnutls) CONFIGURE_ARGS+=--with-ca-fallback endif Subversion's libserf does set the system cert store if no one is set.
@kevans Can you help here?
Created attachment 217836 [details] svn(1) diff against the ports tree This should do the trick -- test builds OK with CA_BUNDLE off and: - both ssl=base and ssl=libressl w/ OPENSSL - GNUTLS I only confirmed for !GNUTLS/OPENSSL options that it wasn't adding the config arg.
(In reply to Kyle Evans from comment #2) Works for me with ssl=base against a internal server with corporate CA from /etc/ssl/certs. > fstatat(AT_FDCWD,"/etc/ssl/certs//d4555404.0",{ mode=-rw-r--r-- ,inode=1043597,size=3988,blksize=32768 },0x0) = 0 (0x0) > open("/etc/ssl/certs//d4555404.0",O_RDONLY,0666) = 6 (0x6)
A commit references this bug: Author: sunpoet Date: Sat Sep 12 12:11:07 UTC 2020 New revision: 548355 URL: https://svnweb.freebsd.org/changeset/ports/548355 Log: Use built-in CA store of OpenSSL/GnuTLS when CA_BUNDLE is disabled PR: 248047 Reported by: Michael Osipov <michael.osipov@siemens.com> Submitted by: kevans Changes: head/ftp/curl/Makefile
Committed. Thanks!