From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: From: Bruno Thomsen Date: Fri, 16 Jan 2015 12:58:45 +0100 Message-ID: <1421409525-13713-2-git-send-email-bth@kamstrup.dk> In-Reply-To: <1421409525-13713-1-git-send-email-bth@kamstrup.dk> References: <1421409525-13713-1-git-send-email-bth@kamstrup.dk> MIME-Version: 1.0 Subject: [ptxdist] [PATCH 2/2] curl: install root CA certificates option Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: m.olbrich@pengutronix.de Cc: ptxdist@pengutronix.de, bth@kamstrup.com From: Bruno Thomsen Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format. The bundle is extracted from Mozilla's release tree by a host package called certdata. Test case 1: openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt Result: Verify return code: 0 (ok) Test case 2: openssl s_client -connect www.google.com:443 Result: Verify return code: 20 (unable to get local issuer certificate) Test case 3: curl https://www.google.com Result: ... Test case 4: rm /usr/share/ca-certificates/curl/ca-bundle.crt curl https://www.google.com Result: curl: (77) error setting certificate verify locations: CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt CApath: none Signed-off-by: Bruno Thomsen --- rules/libcurl.in | 18 ++++++++++++++++-- rules/libcurl.make | 23 ++++++++++++++++++++++- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/rules/libcurl.in b/rules/libcurl.in index 0ad7fb4..11c3698 100644 --- a/rules/libcurl.in +++ b/rules/libcurl.in @@ -5,8 +5,10 @@ menuconfig LIBCURL prompt "libcurl " select LIBC_RT select ZLIB - select OPENSSL if LIBCURL_SSL - select LIBSSH2 if LIBCURL_LIBSSH2 + select HOST_SYSTEM_PERL if LIBCURL_CA_BUNDLE + select HOST_CERTDATA if LIBCURL_CA_BUNDLE + select OPENSSL if LIBCURL_SSL + select LIBSSH2 if LIBCURL_LIBSSH2 help curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. @@ -20,6 +22,18 @@ if LIBCURL config LIBCURL_CURL bool "install curl program" +config LIBCURL_CA_BUNDLE + bool "install root CA certificates" + help + Bundle of Root CA Certificates. + + This is a bundle of X.509 certificates of public Certificate Authorities (CA). + These were automatically extracted from Mozilla's root certificates + file (certdata.txt). + + It contains the certificates in PEM format and therefore + can be directly used with curl / libcurl / php_curl / strongswan. + config LIBCURL_HTTP bool "http" default y diff --git a/rules/libcurl.make b/rules/libcurl.make index 5babcb0..7f83ca4 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -62,7 +62,6 @@ LIBCURL_AUTOCONF := \ --without-gssapi \ --without-gnutls \ --without-nss \ - --without-ca-bundle \ --without-ca-path \ --without-libidn \ --without-axtls \ @@ -82,6 +81,25 @@ else LIBCURL_AUTOCONF += --without-ssl endif +ifdef PTXCONF_LIBCURL_CA_BUNDLE +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt +else +LIBCURL_AUTOCONF += --without-ca-bundle +endif + +# ---------------------------------------------------------------------------- +# Compile +# ---------------------------------------------------------------------------- + +$(STATEDIR)/libcurl.compile: + @$(call targetinfo) + +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @cd $(HOST_CERTDATA_DIR) + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -n -v $(LIBCURL_DIR)/ca-bundle.crt +endif + @$(call touch) + # ---------------------------------------------------------------------------- # Target-Install # ---------------------------------------------------------------------------- @@ -99,6 +117,9 @@ ifdef PTXCONF_LIBCURL_CURL @$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl) endif @$(call install_lib, libcurl, 0, 0, 0644, libcurl) +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt) +endif @$(call install_finish, libcurl) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de