Bug 248047

Summary: ftp/curl: curl is unusable when CA_BUNDLE is off
Product: Ports & Packages Reporter: Michael Osipov <michael.osipov>
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Closed FIXED    
Severity: Affects Some People CC: kevans, michael.osipov, sunpoet, swills
Priority: --- Flags: bugzilla: maintainer-feedback? (sunpoet)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
svn(1) diff against the ports tree kevans: maintainer-approval? (sunpoet)

Description Michael Osipov 2020-07-17 15:47:12 UTC 
Configured curl:
---Begin OPTIONS List---
===> The following configuration options are available for curl-7.71.0:
     ALTSVC=off: HTTP Alternative Services support
     BROTLI=off: Brotli compression support
     CA_BUNDLE=off: Enable CA bundle for OpenSSL/GnuTLS/mbedTLS
     COOKIES=on: Cookies support
     CURL_DEBUG=off: cURL debug memory tracking
     DEBUG=off: Build with debugging support
     DOCS=on: Build and/or install documentation
     EXAMPLES=off: Build and/or install examples
     IDN=off: International Domain Names support
     IPV6=on: IPv6 protocol support
     METALINK=off: Metalink support
     NTLM=off: NTLM authentication support
     PROXY=on: Proxy support
     PSL=off: Public Suffix List support
     TLS_SRP=off: TLS-SRP (Secure Remote Password) support
====> Options available for the group PROTOCOL
     DICT=off: DICT (RFC 2229) support
     FTP=off: FTP protocol support
     GOPHER=off: Gopher protocol support
     HTTP=on: HTTP/HTTPS support
     HTTP2=on: HTTP/2 support (requires HTTP)
     IMAP=off: IMAP/IMAPS support
     LDAP=off: LDAP protocol support
     LDAPS=off: LDAP protocol over SSL support
     LIBSSH2=off: SCP/SFTP support via libssh2 (requires OPENSSL)
     POP3=off: POP3/POP3S support
     RTMP=off: RTMP protocol support via librtmp
     RTSP=off: Real Time Streaming Protocol (RTSP) support
     SMB=off: SMB/CIFS support
     SMTP=off: SMTP/SMTPS support
     TELNET=off: Telnet support
     TFTP=off: TFTP support
====> GSSAPI Security API support: you have to select exactly one of them
     GSSAPI_BASE=off: GSSAPI support via base system (needs Kerberos)
     GSSAPI_HEIMDAL=off: GSSAPI support via security/heimdal
     GSSAPI_MIT=on: GSSAPI support via security/krb5
     GSSAPI_NONE=off: Disable GSSAPI support
====> DNS resolving options: you have to select exactly one of them
     CARES=off: Asynchronous DNS resolution via c-ares
     THREADED_RESOLVER=on: Threaded DNS resolver
====> SSL protocol support: you can only select none or one of them
     GNUTLS=off: SSL/TLS support via GnuTLS
     NSS=off: SSL/TLS support via NSS
     OPENSSL=on: SSL/TLS support via OpenSSL
     WOLFSSL=off: SSL/TLS support via wolfSSL
===> Use 'make config' to modify these settings
---End OPTIONS List---

Because I solely on the system cert store (ssl=base):
# openssl version -d
OPENSSLDIR: "/etc/ssl"

Either OPENSSLDIR/cert.pem or OPENSSLDIR/certs/. This is is only enabled in curl when --with-ca-fallback is enabled. This options is only valid for:
>   AC_MSG_CHECKING([whether to use builtin CA store of SSL library])
>   AC_ARG_WITH(ca-fallback,
> AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library])
> AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]),
>   [
>     if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then
>       AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter])
>     fi
>   ],
>   [ with_ca_fallback="no"])
>   AC_MSG_RESULT([$with_ca_fallback])
>   if test "x$with_ca_fallback" = "xyes"; then
>     if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then
>       AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS])
>     fi
>     AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ])
>   fi

OpenSSL and GnuTLS.

I would expect:
> if CA_BUNDLE=off and SSL_BACKEND in (openssl, gnutls)
    CONFIGURE_ARGS+=--with-ca-fallback
  endif

Subversion's libserf does set the system cert store if no one is set.
Comment 1 Michael Osipov 2020-09-09 09:39:31 UTC 
@kevans Can you help here?
Comment 2 Kyle Evans freebsd_committer freebsd_triage 2020-09-09 10:51:10 UTC 
Created attachment 217836 [details]
svn(1) diff against the ports tree

This should do the trick -- test builds OK with CA_BUNDLE off and:

- both ssl=base and ssl=libressl w/ OPENSSL 
- GNUTLS

I only confirmed for !GNUTLS/OPENSSL options that it wasn't adding the config arg.
Comment 3 Michael Osipov 2020-09-09 11:21:49 UTC 
(In reply to Kyle Evans from comment #2)

Works for me with ssl=base against a internal server with corporate CA from /etc/ssl/certs.

> fstatat(AT_FDCWD,"/etc/ssl/certs//d4555404.0",{ mode=-rw-r--r-- ,inode=1043597,size=3988,blksize=32768 },0x0) = 0 (0x0)
> open("/etc/ssl/certs//d4555404.0",O_RDONLY,0666) = 6 (0x6)
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-09-12 12:12:13 UTC 
A commit references this bug:

Author: sunpoet
Date: Sat Sep 12 12:11:07 UTC 2020
New revision: 548355
URL: https://svnweb.freebsd.org/changeset/ports/548355

Log:
  Use built-in CA store of OpenSSL/GnuTLS when CA_BUNDLE is disabled

  PR:		248047
  Reported by:	Michael Osipov <michael.osipov@siemens.com>
  Submitted by:	kevans

Changes:
  head/ftp/curl/Makefile
Comment 5 Po-Chuan Hsieh freebsd_committer freebsd_triage 2020-09-12 12:15:24 UTC 
Committed. Thanks!