* [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. @ 2015-04-02 21:18 Rüdiger, Christoph 2015-04-09 8:58 ` Michael Olbrich 0 siblings, 1 reply; 6+ messages in thread From: Rüdiger, Christoph @ 2015-04-02 21:18 UTC (permalink / raw) To: ptxdist [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. Signed-off-by: Christoph Ruediger <christoph.ruediger@thyssenkrupp.com> --- rules/libcurl.in | 27 +++++++++++++++++++++++++++ rules/libcurl.make | 21 ++++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/rules/libcurl.in b/rules/libcurl.in index 0ad7fb4..bdb0ad5 100644 --- a/rules/libcurl.in +++ b/rules/libcurl.in @@ -41,6 +41,33 @@ config LIBCURL_FILE config LIBCURL_SSL bool "ssl" +if LIBCURL_SSL + +choice + prompt "Central CA certificate storage" + + config LIBCURL_SSL_NOCA + bool "No CA storage" + + config LIBCURL_SSL_CAPATH + bool "CA directory" + + config LIBCURL_SSL_CABUNDLE + bool "CA bundle" +endchoice + +config LIBCURL_SSL_CAPATH_PATH + string "CA directory path" + depends on LIBCURL_SSL_CAPATH + default "/etc/ssl/certs" + +config LIBCURL_SSL_CABUNDLE_PATH + string "CA bundle path" + depends on LIBCURL_SSL_CABUNDLE + default "/etc/ssl/certs/ca-certificates.crt" + +endif + config LIBCURL_CRYPTO_AUTH bool "cryptographic authentication" diff --git a/rules/libcurl.make b/rules/libcurl.make index 5babcb0..d6cb36c 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -62,8 +62,6 @@ LIBCURL_AUTOCONF := \ --without-gssapi \ --without-gnutls \ --without-nss \ - --without-ca-bundle \ - --without-ca-path \ --without-libidn \ --without-axtls \ --without-cyassl \ @@ -78,8 +76,25 @@ LIBCURL_AUTOCONF := \ ifdef PTXCONF_LIBCURL_SSL LIBCURL_AUTOCONF += --with-ssl=$(SYSROOT) +ifdef PTXCONF_LIBCURL_SSL_CABUNDLE +LIBCURL_AUTOCONF += \ + --with-ca-bundle=$(PTXCONF_LIBCURL_SSL_CABUNDLE_PATH) \ + --without-ca-path +else +ifdef PTXCONF_LIBCURL_SSL_CAPATH +LIBCURL_AUTOCONF += \ + --with-ca-path=$(PTXCONF_LIBCURL_SSL_CAPATH_PATH) \ + --without-ca-bundle else -LIBCURL_AUTOCONF += --without-ssl +LIBCURL_AUTOCONF += \ + --without-ca-bundle \ + --without-ca-path +endif +endif +else +LIBCURL_AUTOCONF += --without-ssl \ + --without-ca-bundle \ + --without-ca-path endif # ---------------------------------------------------------------------------- -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. 2015-04-02 21:18 [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file Rüdiger, Christoph @ 2015-04-09 8:58 ` Michael Olbrich 2015-04-09 10:05 ` Rüdiger, Christoph 0 siblings, 1 reply; 6+ messages in thread From: Michael Olbrich @ 2015-04-09 8:58 UTC (permalink / raw) To: ptxdist On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote: > [PATCH] libcurl: Added an option set to compile libcurl with optional > builtin CA certificate default directory or builtin CA certificate default > bundle file. > > Signed-off-by: Christoph Ruediger <christoph.ruediger@thyssenkrupp.com> > --- > rules/libcurl.in | 27 +++++++++++++++++++++++++++ > rules/libcurl.make | 21 ++++++++++++++++++--- > 2 files changed, 45 insertions(+), 3 deletions(-) > > diff --git a/rules/libcurl.in b/rules/libcurl.in > index 0ad7fb4..bdb0ad5 100644 > --- a/rules/libcurl.in > +++ b/rules/libcurl.in > @@ -41,6 +41,33 @@ config LIBCURL_FILE > config LIBCURL_SSL > bool "ssl" > > +if LIBCURL_SSL > + > +choice > + prompt "Central CA certificate storage" > + > + config LIBCURL_SSL_NOCA > + bool "No CA storage" > + > + config LIBCURL_SSL_CAPATH > + bool "CA directory" > + > + config LIBCURL_SSL_CABUNDLE > + bool "CA bundle" > +endchoice > + > +config LIBCURL_SSL_CAPATH_PATH > + string "CA directory path" > + depends on LIBCURL_SSL_CAPATH > + default "/etc/ssl/certs" > + > +config LIBCURL_SSL_CABUNDLE_PATH > + string "CA bundle path" > + depends on LIBCURL_SSL_CABUNDLE > + default "/etc/ssl/certs/ca-certificates.crt" Any reason, why these paths should be configurable? And we need a package that provides those files, right? Michael > + > +endif > + > config LIBCURL_CRYPTO_AUTH > bool "cryptographic authentication" > > diff --git a/rules/libcurl.make b/rules/libcurl.make > index 5babcb0..d6cb36c 100644 > --- a/rules/libcurl.make > +++ b/rules/libcurl.make > @@ -62,8 +62,6 @@ LIBCURL_AUTOCONF := \ > --without-gssapi \ > --without-gnutls \ > --without-nss \ > - --without-ca-bundle \ > - --without-ca-path \ > --without-libidn \ > --without-axtls \ > --without-cyassl \ > @@ -78,8 +76,25 @@ LIBCURL_AUTOCONF := \ > > ifdef PTXCONF_LIBCURL_SSL > LIBCURL_AUTOCONF += --with-ssl=$(SYSROOT) > +ifdef PTXCONF_LIBCURL_SSL_CABUNDLE > +LIBCURL_AUTOCONF += \ > + --with-ca-bundle=$(PTXCONF_LIBCURL_SSL_CABUNDLE_PATH) \ > + --without-ca-path > +else > +ifdef PTXCONF_LIBCURL_SSL_CAPATH > +LIBCURL_AUTOCONF += \ > + --with-ca-path=$(PTXCONF_LIBCURL_SSL_CAPATH_PATH) \ > + --without-ca-bundle > else > -LIBCURL_AUTOCONF += --without-ssl > +LIBCURL_AUTOCONF += \ > + --without-ca-bundle \ > + --without-ca-path > +endif > +endif > +else > +LIBCURL_AUTOCONF += --without-ssl \ > + --without-ca-bundle \ > + --without-ca-path > endif > > # ---------------------------------------------------------------------------- > -- > 1.9.1 > > -- > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. 2015-04-09 8:58 ` Michael Olbrich @ 2015-04-09 10:05 ` Rüdiger, Christoph 2015-04-09 15:27 ` Michael Olbrich 0 siblings, 1 reply; 6+ messages in thread From: Rüdiger, Christoph @ 2015-04-09 10:05 UTC (permalink / raw) To: ptxdist > -----Original Message----- > From: ptxdist-bounces@pengutronix.de [mailto:ptxdist- > bounces@pengutronix.de] On Behalf Of Michael Olbrich > Sent: Thursday, April 09, 2015 10:58 AM > To: ptxdist@pengutronix.de > Subject: Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl > with optional builtin CA certificate default directory or builtin CA certificate > default bundle file. > > On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote: > > [PATCH] libcurl: Added an option set to compile libcurl with optional > > builtin CA certificate default directory or builtin CA certificate > > default bundle file. > > > > Signed-off-by: Christoph Ruediger > > <christoph.ruediger@thyssenkrupp.com> > > --- > > rules/libcurl.in | 27 +++++++++++++++++++++++++++ > > rules/libcurl.make | 21 ++++++++++++++++++--- > > 2 files changed, 45 insertions(+), 3 deletions(-) > > > > diff --git a/rules/libcurl.in b/rules/libcurl.in index > > 0ad7fb4..bdb0ad5 100644 > > --- a/rules/libcurl.in > > +++ b/rules/libcurl.in > > @@ -41,6 +41,33 @@ config LIBCURL_FILE config LIBCURL_SSL > > bool "ssl" > > > > +if LIBCURL_SSL > > + > > +choice > > + prompt "Central CA certificate storage" > > + > > + config LIBCURL_SSL_NOCA > > + bool "No CA storage" > > + > > + config LIBCURL_SSL_CAPATH > > + bool "CA directory" > > + > > + config LIBCURL_SSL_CABUNDLE > > + bool "CA bundle" > > +endchoice > > + > > +config LIBCURL_SSL_CAPATH_PATH > > + string "CA directory path" > > + depends on LIBCURL_SSL_CAPATH > > + default "/etc/ssl/certs" > > + > > +config LIBCURL_SSL_CABUNDLE_PATH > > + string "CA bundle path" > > + depends on LIBCURL_SSL_CABUNDLE > > + default "/etc/ssl/certs/ca-certificates.crt" > > Any reason, why these paths should be configurable? /etc/ssl/certs seems to be the most common path to store certificates in. However, we maintain RedHat servers here which use different paths by default. That's the reason why I made it configurable. > And we need a package that provides those files, right? In my opinion, such a package is nothing for the general ptxdist. It is highly project depending, at least in our company. We do not deploy a set of default CAs like you have it in the general purpose desktop or server distributions. For us it is very rare to have two projects with the same set of CA certificates. Even if we add a certificates package, this should be more related to the openssl package itself than to the openssl user packages like curl. Curl runs fine even if the default path (CA path or CA bundle) does not exist. It is just not finding proper certificates to validate SSL/TLS connections. This is the same behavior as today, where curl is configured to not look anywhere for matching certificates. Best regards, Christoph -- Christoph Ruediger Developer ThyssenKrupp Elevator Innovation GmbH PDC Neuhausen TKEI Elevator Control Bernhaeuser Straße 45 73765 Neuhausen, Germany Phone +49 7158 12-2615 christoph.ruediger@thyssenkrupp.com Company domicile: Essen Commercial register: Essen HRB 20 839 Postal address: ThyssenKrupp Allee 1, 45143 Essen, Germany Executive Board: Gerhard Thumm, Katrin Huenger, Philippe Choleau -- ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. 2015-04-09 10:05 ` Rüdiger, Christoph @ 2015-04-09 15:27 ` Michael Olbrich 2015-04-10 13:40 ` Bruno Thomsen 0 siblings, 1 reply; 6+ messages in thread From: Michael Olbrich @ 2015-04-09 15:27 UTC (permalink / raw) To: ptxdist; +Cc: Bruno Thomsen Added Bruno Thomsen to Cc. He had some patches about this as well. On Thu, Apr 09, 2015 at 10:05:55AM +0000, Rüdiger, Christoph wrote: > > On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote: > > > [PATCH] libcurl: Added an option set to compile libcurl with optional > > > builtin CA certificate default directory or builtin CA certificate > > > default bundle file. > > > > > > Signed-off-by: Christoph Ruediger > > > <christoph.ruediger@thyssenkrupp.com> > > > --- > > > rules/libcurl.in | 27 +++++++++++++++++++++++++++ > > > rules/libcurl.make | 21 ++++++++++++++++++--- > > > 2 files changed, 45 insertions(+), 3 deletions(-) > > > > > > diff --git a/rules/libcurl.in b/rules/libcurl.in index > > > 0ad7fb4..bdb0ad5 100644 > > > --- a/rules/libcurl.in > > > +++ b/rules/libcurl.in > > > @@ -41,6 +41,33 @@ config LIBCURL_FILE config LIBCURL_SSL > > > bool "ssl" > > > > > > +if LIBCURL_SSL > > > + > > > +choice > > > + prompt "Central CA certificate storage" > > > + > > > + config LIBCURL_SSL_NOCA > > > + bool "No CA storage" > > > + > > > + config LIBCURL_SSL_CAPATH > > > + bool "CA directory" > > > + > > > + config LIBCURL_SSL_CABUNDLE > > > + bool "CA bundle" > > > +endchoice > > > + > > > +config LIBCURL_SSL_CAPATH_PATH > > > + string "CA directory path" > > > + depends on LIBCURL_SSL_CAPATH > > > + default "/etc/ssl/certs" > > > + > > > +config LIBCURL_SSL_CABUNDLE_PATH > > > + string "CA bundle path" > > > + depends on LIBCURL_SSL_CABUNDLE > > > + default "/etc/ssl/certs/ca-certificates.crt" > > > > Any reason, why these paths should be configurable? > > /etc/ssl/certs seems to be the most common path to store certificates in. > However, we maintain RedHat servers here which use different paths by > default. That's the reason why I made it configurable. Ok. > > And we need a package that provides those files, right? > > In my opinion, such a package is nothing for the general ptxdist. It is > highly project depending, at least in our company. We do not deploy a set of > default CAs like you have it in the general purpose desktop or server > distributions. For us it is very rare to have two projects with the same set > of CA certificates. > Even if we add a certificates package, this should be more related to the > openssl package itself than to the openssl user packages like curl. > > Curl runs fine even if the default path (CA path or CA bundle) does not > exist. It is just not finding proper certificates to validate SSL/TLS > connections. This is the same behavior as today, where curl is configured to > not look anywhere for matching certificates. To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right? Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you? Michael -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. 2015-04-09 15:27 ` Michael Olbrich @ 2015-04-10 13:40 ` Bruno Thomsen 2015-04-27 8:53 ` Michael Olbrich 0 siblings, 1 reply; 6+ messages in thread From: Bruno Thomsen @ 2015-04-10 13:40 UTC (permalink / raw) To: ptxdist; +Cc: Bruno Thomsen > > > Any reason, why these paths should be configurable? > > > > /etc/ssl/certs seems to be the most common path to store certificates in. > > However, we maintain RedHat servers here which use different paths by > > default. That's the reason why I made it configurable. > > Ok. I think it's okay to make it configurable. Ubuntu uses /usr/share/ca-certificates/ so it seems to be very distribution specific. > > > And we need a package that provides those files, right? > > > > In my opinion, such a package is nothing for the general ptxdist. It > > is highly project depending, at least in our company. We do not deploy > > a set of default CAs like you have it in the general purpose desktop > > or server distributions. For us it is very rare to have two projects > > with the same set of CA certificates. The CA/Browser Forum (CA/B) has adopted new guidelines that deprecate internal server names and reserved IP addresses [1]. After November 1, 2015 certificates for internal names will no longer be trusted. In other words the public CAs like DigiCert, VeriSign, etc. must only issue certificates to public internet domains with FQDNs. This will cause an increase of private CAs when devices/servers only communicate on closed networks without internet access. Inclusion of private CA trust chains is IMHO out of ptxdist scope. But it's a completely different question if ptxdist should have an option to include a public CA bundle. There are many use-cases where communication over the internet is useful in embedded devices. The most obvious is a GSM/UMTS/LTE connected devices, since setting up a customer specific APN with VPN between server hosting and telecommunication company is rather costly. So the embedded device connect with a standard "internet" APN, and gain NAT'ed internet access, where it can connect to a HTTPS or IPsec server that present a public signed certificate. So the embedded device only needs to be programmed with customer server FQDN and not a customer specific private CA certificate that might not be known at the time of product ordering. > > Even if we add a certificates package, this should be more related to > > the openssl package itself than to the openssl user packages like curl. > > > > Curl runs fine even if the default path (CA path or CA bundle) does > > not exist. It is just not finding proper certificates to validate > > SSL/TLS connections. This is the same behavior as today, where curl is > > configured to not look anywhere for matching certificates. > > To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right? Yes. > Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you? Okay, so I change the host-certdata package to a public-ca-bundle target package in the network section that selects LIBCURL_SSL_CABUNDLE and run the mk-ca-bundle.pl script from curl and install the result into LIBCURL_SSL_CABUNDLE_PATH. /Bruno [1] https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf -- ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. 2015-04-10 13:40 ` Bruno Thomsen @ 2015-04-27 8:53 ` Michael Olbrich 0 siblings, 0 replies; 6+ messages in thread From: Michael Olbrich @ 2015-04-27 8:53 UTC (permalink / raw) To: ptxdist On Fri, Apr 10, 2015 at 01:40:27PM +0000, Bruno Thomsen wrote: > > To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right? > > Yes. > > > Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you? > > Okay, so I change the host-certdata package to a public-ca-bundle target > package in the network section that selects LIBCURL_SSL_CABUNDLE and run the > mk-ca-bundle.pl script from curl and install the result into > LIBCURL_SSL_CABUNDLE_PATH. So, I had my own use-case for this. I've now created a ca-certificates. I've imported the script used by Debian to split the certdata.txt. I've applied this patch and added an option to libcurl to explicitly use this. Christoph: can you verify that I didn't break your use-case? Bruno: I think this works for you as well? I think we talked about the version for the certdata.txt file before. I decided to us the latest commit hash from 'default' and use the date as version to give some indication how old it is. This way, we can have the latest version but keep it reproducible. Michael -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-04-27 8:53 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-04-02 21:18 [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file Rüdiger, Christoph 2015-04-09 8:58 ` Michael Olbrich 2015-04-09 10:05 ` Rüdiger, Christoph 2015-04-09 15:27 ` Michael Olbrich 2015-04-10 13:40 ` Bruno Thomsen 2015-04-27 8:53 ` Michael Olbrich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox