From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Thu, 9 Apr 2015 17:27:28 +0200 From: Michael Olbrich Message-ID: <20150409152728.GH9865@pengutronix.de> References: <1E9AED858BEB204B9DE4F807C7ED0EF61B0EA699@EMSRVWIN2931.apps.edc.thyssenkrupp.com> <20150409085824.GA9865@pengutronix.de> <1E9AED858BEB204B9DE4F807C7ED0EF61B0F2E01@EMSRVWIN2934.apps.edc.thyssenkrupp.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1E9AED858BEB204B9DE4F807C7ED0EF61B0F2E01@EMSRVWIN2934.apps.edc.thyssenkrupp.com> Subject: Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file. Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de Cc: Bruno Thomsen Added Bruno Thomsen to Cc. He had some patches about this as well. On Thu, Apr 09, 2015 at 10:05:55AM +0000, R=FCdiger, Christoph wrote: > > On Thu, Apr 02, 2015 at 09:18:05PM +0000, R=FCdiger, Christoph wrote: > > > [PATCH] libcurl: Added an option set to compile libcurl with optional > > > builtin CA certificate default directory or builtin CA certificate > > > default bundle file. > > > > > > Signed-off-by: Christoph Ruediger > > > > > > --- > > > rules/libcurl.in | 27 +++++++++++++++++++++++++++ > > > rules/libcurl.make | 21 ++++++++++++++++++--- > > > 2 files changed, 45 insertions(+), 3 deletions(-) > > > > > > diff --git a/rules/libcurl.in b/rules/libcurl.in index > > > 0ad7fb4..bdb0ad5 100644 > > > --- a/rules/libcurl.in > > > +++ b/rules/libcurl.in > > > @@ -41,6 +41,33 @@ config LIBCURL_FILE config LIBCURL_SSL > > > bool "ssl" > > > > > > +if LIBCURL_SSL > > > + > > > +choice > > > + prompt "Central CA certificate storage" > > > + > > > + config LIBCURL_SSL_NOCA > > > + bool "No CA storage" > > > + > > > + config LIBCURL_SSL_CAPATH > > > + bool "CA directory" > > > + > > > + config LIBCURL_SSL_CABUNDLE > > > + bool "CA bundle" > > > +endchoice > > > + > > > +config LIBCURL_SSL_CAPATH_PATH > > > + string "CA directory path" > > > + depends on LIBCURL_SSL_CAPATH > > > + default "/etc/ssl/certs" > > > + > > > +config LIBCURL_SSL_CABUNDLE_PATH > > > + string "CA bundle path" > > > + depends on LIBCURL_SSL_CABUNDLE > > > + default "/etc/ssl/certs/ca-certificates.crt" > > = > > Any reason, why these paths should be configurable? > = > /etc/ssl/certs seems to be the most common path to store certificates in. > However, we maintain RedHat servers here which use different paths by > default. That's the reason why I made it configurable. Ok. > > And we need a package that provides those files, right? > = > In my opinion, such a package is nothing for the general ptxdist. It is > highly project depending, at least in our company. We do not deploy a set= of > default CAs like you have it in the general purpose desktop or server > distributions. For us it is very rare to have two projects with the same = set > of CA certificates. > Even if we add a certificates package, this should be more related to the > openssl package itself than to the openssl user packages like curl. > = > Curl runs fine even if the default path (CA path or CA bundle) does not > exist. It is just not finding proper certificates to validate SSL/TLS > connections. This is the same behavior as today, where curl is configured= to > not look anywhere for matching certificates. To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right? Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you? Michael -- = Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- = ptxdist mailing list ptxdist@pengutronix.de