[ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[Rüdiger, Christoph]

[PATCH] libcurl: Added an option set to compile libcurl with optional
 builtin CA certificate default directory or builtin CA certificate default
 bundle file.

Signed-off-by: Christoph Ruediger <christoph.ruediger@thyssenkrupp.com>
---
 rules/libcurl.in   | 27 +++++++++++++++++++++++++++
 rules/libcurl.make | 21 ++++++++++++++++++---
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/rules/libcurl.in b/rules/libcurl.in
index 0ad7fb4..bdb0ad5 100644
--- a/rules/libcurl.in
+++ b/rules/libcurl.in
@@ -41,6 +41,33 @@ config LIBCURL_FILE
 config LIBCURL_SSL
        bool "ssl"
 
+if LIBCURL_SSL
+
+choice
+	prompt "Central CA certificate storage"
+	
+	config LIBCURL_SSL_NOCA
+		bool "No CA storage"
+
+	config LIBCURL_SSL_CAPATH
+		bool "CA directory"
+
+	config LIBCURL_SSL_CABUNDLE
+		bool "CA bundle"
+endchoice
+
+config LIBCURL_SSL_CAPATH_PATH
+	string "CA directory path"
+	depends on LIBCURL_SSL_CAPATH
+	default "/etc/ssl/certs"
+
+config LIBCURL_SSL_CABUNDLE_PATH
+	string "CA bundle path"
+	depends on LIBCURL_SSL_CABUNDLE
+	default "/etc/ssl/certs/ca-certificates.crt"
+
+endif
+
 config LIBCURL_CRYPTO_AUTH
        bool "cryptographic authentication"
 
diff --git a/rules/libcurl.make b/rules/libcurl.make
index 5babcb0..d6cb36c 100644
--- a/rules/libcurl.make
+++ b/rules/libcurl.make
@@ -62,8 +62,6 @@ LIBCURL_AUTOCONF := \
 	--without-gssapi \
 	--without-gnutls \
 	--without-nss \
-	--without-ca-bundle \
-	--without-ca-path \
 	--without-libidn \
 	--without-axtls \
 	--without-cyassl \
@@ -78,8 +76,25 @@ LIBCURL_AUTOCONF := \
 
 ifdef PTXCONF_LIBCURL_SSL
 LIBCURL_AUTOCONF += --with-ssl=$(SYSROOT)
+ifdef PTXCONF_LIBCURL_SSL_CABUNDLE
+LIBCURL_AUTOCONF += \
+	--with-ca-bundle=$(PTXCONF_LIBCURL_SSL_CABUNDLE_PATH) \
+	--without-ca-path
+else
+ifdef PTXCONF_LIBCURL_SSL_CAPATH
+LIBCURL_AUTOCONF += \
+	--with-ca-path=$(PTXCONF_LIBCURL_SSL_CAPATH_PATH) \
+	--without-ca-bundle
 else
-LIBCURL_AUTOCONF += --without-ssl
+LIBCURL_AUTOCONF += \
+	--without-ca-bundle \
+	--without-ca-path
+endif
+endif
+else
+LIBCURL_AUTOCONF += --without-ssl \
+	--without-ca-bundle \
+	--without-ca-path
 endif
 
 # ----------------------------------------------------------------------------
-- 
1.9.1

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[Michael Olbrich]

On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote:
> [PATCH] libcurl: Added an option set to compile libcurl with optional
>  builtin CA certificate default directory or builtin CA certificate default
>  bundle file.
> 
> Signed-off-by: Christoph Ruediger <christoph.ruediger@thyssenkrupp.com>
> ---
>  rules/libcurl.in   | 27 +++++++++++++++++++++++++++
>  rules/libcurl.make | 21 ++++++++++++++++++---
>  2 files changed, 45 insertions(+), 3 deletions(-)
> 
> diff --git a/rules/libcurl.in b/rules/libcurl.in
> index 0ad7fb4..bdb0ad5 100644
> --- a/rules/libcurl.in
> +++ b/rules/libcurl.in
> @@ -41,6 +41,33 @@ config LIBCURL_FILE
>  config LIBCURL_SSL
>         bool "ssl"
>  
> +if LIBCURL_SSL
> +
> +choice
> +	prompt "Central CA certificate storage"
> +	
> +	config LIBCURL_SSL_NOCA
> +		bool "No CA storage"
> +
> +	config LIBCURL_SSL_CAPATH
> +		bool "CA directory"
> +
> +	config LIBCURL_SSL_CABUNDLE
> +		bool "CA bundle"
> +endchoice
> +
> +config LIBCURL_SSL_CAPATH_PATH
> +	string "CA directory path"
> +	depends on LIBCURL_SSL_CAPATH
> +	default "/etc/ssl/certs"
> +
> +config LIBCURL_SSL_CABUNDLE_PATH
> +	string "CA bundle path"
> +	depends on LIBCURL_SSL_CABUNDLE
> +	default "/etc/ssl/certs/ca-certificates.crt"

Any reason, why these paths should be configurable?

And we need a package that provides those files, right?

Michael

> +
> +endif
> +
>  config LIBCURL_CRYPTO_AUTH
>         bool "cryptographic authentication"
>  
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 5babcb0..d6cb36c 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -62,8 +62,6 @@ LIBCURL_AUTOCONF := \
>  	--without-gssapi \
>  	--without-gnutls \
>  	--without-nss \
> -	--without-ca-bundle \
> -	--without-ca-path \
>  	--without-libidn \
>  	--without-axtls \
>  	--without-cyassl \
> @@ -78,8 +76,25 @@ LIBCURL_AUTOCONF := \
>  
>  ifdef PTXCONF_LIBCURL_SSL
>  LIBCURL_AUTOCONF += --with-ssl=$(SYSROOT)
> +ifdef PTXCONF_LIBCURL_SSL_CABUNDLE
> +LIBCURL_AUTOCONF += \
> +	--with-ca-bundle=$(PTXCONF_LIBCURL_SSL_CABUNDLE_PATH) \
> +	--without-ca-path
> +else
> +ifdef PTXCONF_LIBCURL_SSL_CAPATH
> +LIBCURL_AUTOCONF += \
> +	--with-ca-path=$(PTXCONF_LIBCURL_SSL_CAPATH_PATH) \
> +	--without-ca-bundle
>  else
> -LIBCURL_AUTOCONF += --without-ssl
> +LIBCURL_AUTOCONF += \
> +	--without-ca-bundle \
> +	--without-ca-path
> +endif
> +endif
> +else
> +LIBCURL_AUTOCONF += --without-ssl \
> +	--without-ca-bundle \
> +	--without-ca-path
>  endif
>  
>  # ----------------------------------------------------------------------------
> -- 
> 1.9.1
> 
> -- 
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[Rüdiger, Christoph]

> -----Original Message-----
> From: ptxdist-bounces@pengutronix.de [mailto:ptxdist-
> bounces@pengutronix.de] On Behalf Of Michael Olbrich
> Sent: Thursday, April 09, 2015 10:58 AM
> To: ptxdist@pengutronix.de
> Subject: Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl
> with optional builtin CA certificate default directory or builtin CA certificate
> default bundle file.
> 
> On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote:
> > [PATCH] libcurl: Added an option set to compile libcurl with optional
> > builtin CA certificate default directory or builtin CA certificate
> > default  bundle file.
> >
> > Signed-off-by: Christoph Ruediger
> > <christoph.ruediger@thyssenkrupp.com>
> > ---
> >  rules/libcurl.in   | 27 +++++++++++++++++++++++++++
> >  rules/libcurl.make | 21 ++++++++++++++++++---
> >  2 files changed, 45 insertions(+), 3 deletions(-)
> >
> > diff --git a/rules/libcurl.in b/rules/libcurl.in index
> > 0ad7fb4..bdb0ad5 100644
> > --- a/rules/libcurl.in
> > +++ b/rules/libcurl.in
> > @@ -41,6 +41,33 @@ config LIBCURL_FILE  config LIBCURL_SSL
> >         bool "ssl"
> >
> > +if LIBCURL_SSL
> > +
> > +choice
> > +	prompt "Central CA certificate storage"
> > +
> > +	config LIBCURL_SSL_NOCA
> > +		bool "No CA storage"
> > +
> > +	config LIBCURL_SSL_CAPATH
> > +		bool "CA directory"
> > +
> > +	config LIBCURL_SSL_CABUNDLE
> > +		bool "CA bundle"
> > +endchoice
> > +
> > +config LIBCURL_SSL_CAPATH_PATH
> > +	string "CA directory path"
> > +	depends on LIBCURL_SSL_CAPATH
> > +	default "/etc/ssl/certs"
> > +
> > +config LIBCURL_SSL_CABUNDLE_PATH
> > +	string "CA bundle path"
> > +	depends on LIBCURL_SSL_CABUNDLE
> > +	default "/etc/ssl/certs/ca-certificates.crt"
> 
> Any reason, why these paths should be configurable?

/etc/ssl/certs seems to be the most common path to store certificates in. However, we maintain RedHat servers here which use different paths by default. That's the reason why I made it configurable.

 
> And we need a package that provides those files, right?

In my opinion, such a package is nothing for the general ptxdist. It is highly project depending, at least in our company. We do not deploy a set of default CAs like you have it in the general purpose desktop or server distributions. For us it is very rare to have two projects with the same set of CA certificates.

Even if we add a certificates package, this should be more related to the openssl package itself than to the openssl user packages like curl.

Curl runs fine even if the default path (CA path or CA bundle) does not exist. It is just not finding proper certificates to validate SSL/TLS connections. This is the same behavior as today, where curl is configured to not look anywhere for matching certificates.


Best regards,
Christoph

-- 
Christoph Ruediger
Developer

ThyssenKrupp Elevator Innovation GmbH
PDC Neuhausen
TKEI Elevator Control
Bernhaeuser Straße 45
73765 Neuhausen, Germany

Phone +49 7158 12-2615
christoph.ruediger@thyssenkrupp.com

Company domicile: Essen      Commercial register: Essen HRB 20 839
Postal address: ThyssenKrupp Allee 1, 45143 Essen, Germany 
Executive Board: Gerhard Thumm, Katrin Huenger, Philippe Choleau


-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[Michael Olbrich]

Added Bruno Thomsen to Cc. He had some patches about this as well.

On Thu, Apr 09, 2015 at 10:05:55AM +0000, Rüdiger, Christoph wrote:
> > On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote:
> > > [PATCH] libcurl: Added an option set to compile libcurl with optional
> > > builtin CA certificate default directory or builtin CA certificate
> > > default  bundle file.
> > >
> > > Signed-off-by: Christoph Ruediger
> > > <christoph.ruediger@thyssenkrupp.com>
> > > ---
> > >  rules/libcurl.in   | 27 +++++++++++++++++++++++++++
> > >  rules/libcurl.make | 21 ++++++++++++++++++---
> > >  2 files changed, 45 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/rules/libcurl.in b/rules/libcurl.in index
> > > 0ad7fb4..bdb0ad5 100644
> > > --- a/rules/libcurl.in
> > > +++ b/rules/libcurl.in
> > > @@ -41,6 +41,33 @@ config LIBCURL_FILE  config LIBCURL_SSL
> > >         bool "ssl"
> > >
> > > +if LIBCURL_SSL
> > > +
> > > +choice
> > > +	prompt "Central CA certificate storage"
> > > +
> > > +	config LIBCURL_SSL_NOCA
> > > +		bool "No CA storage"
> > > +
> > > +	config LIBCURL_SSL_CAPATH
> > > +		bool "CA directory"
> > > +
> > > +	config LIBCURL_SSL_CABUNDLE
> > > +		bool "CA bundle"
> > > +endchoice
> > > +
> > > +config LIBCURL_SSL_CAPATH_PATH
> > > +	string "CA directory path"
> > > +	depends on LIBCURL_SSL_CAPATH
> > > +	default "/etc/ssl/certs"
> > > +
> > > +config LIBCURL_SSL_CABUNDLE_PATH
> > > +	string "CA bundle path"
> > > +	depends on LIBCURL_SSL_CABUNDLE
> > > +	default "/etc/ssl/certs/ca-certificates.crt"
> > 
> > Any reason, why these paths should be configurable?
> 
> /etc/ssl/certs seems to be the most common path to store certificates in.
> However, we maintain RedHat servers here which use different paths by
> default. That's the reason why I made it configurable.

Ok.

> > And we need a package that provides those files, right?
> 
> In my opinion, such a package is nothing for the general ptxdist. It is
> highly project depending, at least in our company. We do not deploy a set of
> default CAs like you have it in the general purpose desktop or server
> distributions. For us it is very rare to have two projects with the same set
> of CA certificates.

> Even if we add a certificates package, this should be more related to the
> openssl package itself than to the openssl user packages like curl.
> 
> Curl runs fine even if the default path (CA path or CA bundle) does not
> exist. It is just not finding proper certificates to validate SSL/TLS
> connections. This is the same behavior as today, where curl is configured to
> not look anywhere for matching certificates.

To create a bundle we would need the script mk-ca-bundle.pl that comes with
curl, right?

Bruno, if I apply this patch here, you could change your host-certdata
package into a target package that installs the CA bundle itself. Would
that make sense to you?

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[Bruno Thomsen]

> > > Any reason, why these paths should be configurable?
> > 
> > /etc/ssl/certs seems to be the most common path to store certificates in.
> > However, we maintain RedHat servers here which use different paths by 
> > default. That's the reason why I made it configurable.
>
> Ok.

I think it's okay to make it configurable.

Ubuntu uses /usr/share/ca-certificates/ so it seems to be very distribution specific.

> > > And we need a package that provides those files, right?
> > 
> > In my opinion, such a package is nothing for the general ptxdist. It 
> > is highly project depending, at least in our company. We do not deploy 
> > a set of default CAs like you have it in the general purpose desktop 
> > or server distributions. For us it is very rare to have two projects 
> > with the same set of CA certificates.

The CA/Browser Forum (CA/B) has adopted new guidelines that deprecate internal server names and reserved IP addresses [1].
After November 1, 2015 certificates for internal names will no longer be trusted.

In other words the public CAs like DigiCert, VeriSign, etc. must only issue certificates to public internet domains with FQDNs.

This will cause an increase of private CAs when devices/servers only communicate on closed networks without internet access.

Inclusion of private CA trust chains is IMHO out of ptxdist scope.

But it's a completely different question if ptxdist should have an option to include a public CA bundle.
There are many use-cases where communication over the internet is useful in embedded devices.
The most obvious is a GSM/UMTS/LTE connected devices, since setting up a customer specific APN with VPN between server hosting and telecommunication company is rather costly.
So the embedded device connect with a standard "internet" APN, and gain NAT'ed internet access, where it can connect to a HTTPS or IPsec server that present a public signed certificate. So the embedded device only needs to be programmed with customer server FQDN and not a customer specific private CA certificate that might not be known at the time of product ordering.

> > Even if we add a certificates package, this should be more related to 
> > the openssl package itself than to the openssl user packages like curl.
> > 
> > Curl runs fine even if the default path (CA path or CA bundle) does 
> > not exist. It is just not finding proper certificates to validate 
> > SSL/TLS connections. This is the same behavior as today, where curl is 
> > configured to not look anywhere for matching certificates.
>
> To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right?

Yes.

> Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you?

Okay, so I change the host-certdata package to a public-ca-bundle target package in the network section that selects LIBCURL_SSL_CABUNDLE and run the mk-ca-bundle.pl script from curl and install the result into LIBCURL_SSL_CABUNDLE_PATH.

/Bruno

[1] https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf


-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.

[Michael Olbrich]

On Fri, Apr 10, 2015 at 01:40:27PM +0000, Bruno Thomsen wrote:
> > To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right?
> 
> Yes.
> 
> > Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you?
> 
> Okay, so I change the host-certdata package to a public-ca-bundle target
> package in the network section that selects LIBCURL_SSL_CABUNDLE and run the
> mk-ca-bundle.pl script from curl and install the result into
> LIBCURL_SSL_CABUNDLE_PATH.

So, I had my own use-case for this. I've now created a ca-certificates.
I've imported the script used by Debian to split the certdata.txt.

I've applied this patch and added an option to libcurl to explicitly use this.

Christoph: can you verify that I didn't break your use-case?
Bruno: I think this works for you as well?

I think we talked about the version for the certdata.txt file before. I
decided to us the latest commit hash from 'default' and use the date as
version to give some indication how old it is. This way, we can have the
latest version but keep it reproducible.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de