[LEDE-DEV] [PATCH] curl: Switch all TLS libraries to use ca-bundle.

Rosen Penev rosenp at gmail.com
Tue Feb 13 07:25:15 PST 2018


On Tue, Feb 13, 2018 at 4:28 AM, John Crispin <john at phrozen.org> wrote:
>
>
> On 25/01/18 04:29, Rosen Penev wrote:
>>
>> On Wed, Jan 24, 2018 at 1:56 PM, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>>>
>>> On 01/24/2018 05:28 AM, Rosen Penev wrote:
>>>>
>>>> At least one application (transmission) depends on CURL_CA_BUNDLE being
>>>> set in order to operate properly (Could not connect to tracker errors).
>>>> As far as I can tell, there's no real drawback to doing this for all
>>>> TLS libraries supported by curl.
>>>
>>> Do all of these libraries support --with-ca-bundle ?
>>>
>> OpenSSL I know does. GnuTLS most likely does as it seems to be geared
>> towards desktop systems.
>
>
> Hi,
>
> "most likely" is not good enough. please compile/runtime test your patches
> for all possible combos before posting them.
>
I've fixed the transmission issue by setting the env parameter to the
proper value. Meaning this patch doesn't help in this case. It
probably does in others.

A quick Google search shows that it does indeed work with GnuTLS.
Maybe it didn't with some previous version.
>     John
>
>>>> Signed-off-by: Rosen Penev <rosenp at gmail.com>
>>>> ---
>>>>   package/network/utils/curl/Makefile | 10 ++++++----
>>>>   1 file changed, 6 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/package/network/utils/curl/Makefile
>>>> b/package/network/utils/curl/Makefile
>>>> index 17fcf70..930bd10 100644
>>>> --- a/package/network/utils/curl/Makefile
>>>> +++ b/package/network/utils/curl/Makefile
>>>> @@ -111,13 +111,15 @@ CONFIGURE_ARGS += \
>>>>        --without-nss \
>>>>        --without-libmetalink \
>>>>        --without-librtmp \
>>>> +     --without-ca-path \
>>>> +     --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
>>>>        \
>>>>        $(call autoconf_bool,CONFIG_IPV6,ipv6) \
>>>>        \
>>>> -     $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr"
>>>> --without-ca-path
>>>> --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-cyassl) \
>>>> -     $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr"
>>>> --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-gnutls) \
>>>> -     $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr"
>>>> --without-ca-bundle --with-ca-path=/etc/ssl/certs,--without-ssl) \
>>>> -     $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr"
>>>> --without-ca-path
>>>> --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt,--without-mbedtls) \
>>>> +     $(if
>>>> $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl)
>>>> \
>>>> +     $(if
>>>> $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls)
>>>> \
>>>> +     $(if
>>>> $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \
>>>> +     $(if
>>>> $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls)
>>>> \
>>>>        \
>>>>        $(if
>>>> $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn)
>>>> \
>>>>        $(if
>>>> $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2)
>>>> \
>>>>
>> _______________________________________________
>> Lede-dev mailing list
>> Lede-dev at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/lede-dev
>
>



More information about the Lede-dev mailing list