--- Begin Message ---
Subject: |
CMake’s “ctest” doesn’t know about X.509 certificates |
Date: |
Tue, 10 Sep 2019 17:37:43 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello,
The ‘ctest’ command uses libcurl to submit reports to CDash servers.
However, it does not “getenv” anything related to CA certs, and it does
not either look at /etc/ssl/certs.
The culprit is this function:
--8<---------------cut here---------------start------------->8---
std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile)
{
std::string e;
if (cafile && *cafile) {
::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
#ifdef CMAKE_FIND_CAFILE
# define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_FEDORA
else {
# define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_COMMON
# define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
}
# undef CMAKE_CAPATH_COMMON
}
#endif
return e;
}
--8<---------------cut here---------------end--------------->8---
The problem is that ‘CMAKE_FIND_CAFILE’ is undefined in our case:
--8<---------------cut here---------------start------------->8---
#if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) && \
!defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
# define CMAKE_FIND_CAFILE
# include "cmSystemTools.h"
#endif
--8<---------------cut here---------------end--------------->8---
Thus it doesn’t look for certificates *at all*, and eventually fails
with:
--8<---------------cut here---------------start------------->8---
Error when uploading file: …
Error message was: server certificate verification failed. CAfile: none
CRLfile: none
Problems when submitting via HTTP
Errors while running CTest
--8<---------------cut here---------------end--------------->8---
For now I propose to provide a patched ‘cmake’ package that does the
right thing.
On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
directly in libcurl, which may be the better long-term solution (though
it’s unclear whether that could interfere with application logic.)
Ludo’.
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates |
Date: |
Wed, 11 Sep 2019 00:13:24 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello,
Tobias Geerinckx-Rice <address@hidden> skribis:
> Ricardo Wurmus 写道:
>> This is the correct way, in my opinion. The user of libcurl is
>> supposed
>> to handle environment variable lookup.
>
> I'm aware of this, but it seems like some users don't do this.
I’ve pushed this as 489d16577e4a6ccc30f3719d9263900089edd842.
We can revisit the libcurl issue later on (as we regularly do :-)).
Thanks for your feedback,
Ludo’.
--- End Message ---