GNU bug report logs - #25240
libcurl does not honor SSL_CERT_DIR et al.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Hank Donnay <hdonnay@HIDDEN>; dated Tue, 20 Dec 2016 22:36:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Changed bug title to 'libcurl does not honor SSL_CERT_DIR et al.' from 'weechat-1.6: curl error 60' Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at 25240 <at> debbugs.gnu.org:


Received: (at 25240) by debbugs.gnu.org; 25 Jan 2017 11:10:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 25 06:10:14 2017
Received: from localhost ([127.0.0.1]:41608 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWLSw-0002R1-M1
	for submit <at> debbugs.gnu.org; Wed, 25 Jan 2017 06:10:14 -0500
Received: from eggs.gnu.org ([208.118.235.92]:33676)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1cWLSv-0002Qp-QO
 for 25240 <at> debbugs.gnu.org; Wed, 25 Jan 2017 06:10:14 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1cWLSm-0006ul-Ky
 for 25240 <at> debbugs.gnu.org; Wed, 25 Jan 2017 06:10:08 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58754)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1cWLSm-0006ug-HZ; Wed, 25 Jan 2017 06:10:04 -0500
Received: from reverse-83.fdn.fr ([80.67.176.83]:39346 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1cWLSl-0002pB-Ut; Wed, 25 Jan 2017 06:10:04 -0500
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Hank Donnay <hdonnay@HIDDEN>
Subject: Re: bug#25240: weechat-1.6: curl error 60
References: <CAD4UWki6-7LWxP7tZruwi_ub6rew7uN0kss39-tUJrKyfsasSg@HIDDEN>
Date: Wed, 25 Jan 2017 12:10:01 +0100
In-Reply-To: <CAD4UWki6-7LWxP7tZruwi_ub6rew7uN0kss39-tUJrKyfsasSg@HIDDEN>
 (Hank Donnay's message of "Tue, 20 Dec 2016 17:08:32 -0500")
Message-ID: <87o9yv1jli.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -8.2 (--------)
X-Debbugs-Envelope-To: 25240
Cc: 25240 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -8.2 (--------)

Hello,

Hank Donnay <hdonnay@HIDDEN> skribis:

> Weechat seems to be unable to do HTTPS, and fails with "curl error 60".
> Setting SSL_CERT_{DIR,FILE} doesn't make a difference. The actual error i=
s:
>
>     script: error downloading list of scripts: curl error 60 (server
> certificate verification failed. CAfile: none CRLfile: none) (URL: "
> https://weechat.org/files/plugins.xml.gz")
>
> I have nss-certs installed, and the files pointed to
> ($GUIX_PROFILE/etc/ssl/certs and
> $GUIX_PROFILE/etc/ssl/certs/ca-certificates.crt) both exist.
>
> Any pointers on where to look to fix this would be appreciated.

Weechat uses libcurl, which uses GnuTLS and does not honor
=E2=80=98SSL_CERT_DIR=E2=80=99, =E2=80=98SSL_CERT_FILE=E2=80=99, and =E2=80=
=98CURL_CA_BUNDLE=E2=80=99.

Instead, GnuTLS defaults to looking for certificates in /etc/ssl/certs,
and it is up to the application to search for certificates in additional
places.

This has been discussed at
<https://lists.gnu.org/archive/html/guix-devel/2017-01/msg00516.html>
but there=E2=80=99s no good solution yet.

Thanks,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#25240; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 20 Dec 2016 22:35:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Dec 20 17:35:45 2016
Received: from localhost ([127.0.0.1]:49412 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cJT0b-0007ga-9t
	for submit <at> debbugs.gnu.org; Tue, 20 Dec 2016 17:35:45 -0500
Received: from eggs.gnu.org ([208.118.235.92]:49950)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hdonnay@HIDDEN>) id 1cJSaR-0006rW-7w
 for submit <at> debbugs.gnu.org; Tue, 20 Dec 2016 17:08:43 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hdonnay@HIDDEN>) id 1cJSaL-0008Lg-1w
 for submit <at> debbugs.gnu.org; Tue, 20 Dec 2016 17:08:37 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:39690)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <hdonnay@HIDDEN>) id 1cJSaK-0008LT-V5
 for submit <at> debbugs.gnu.org; Tue, 20 Dec 2016 17:08:36 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40900)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hdonnay@HIDDEN>) id 1cJSaJ-000073-Tc
 for bug-guix@HIDDEN; Tue, 20 Dec 2016 17:08:36 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hdonnay@HIDDEN>) id 1cJSaI-0008KC-WF
 for bug-guix@HIDDEN; Tue, 20 Dec 2016 17:08:35 -0500
Received: from mail-qk0-x232.google.com ([2607:f8b0:400d:c09::232]:34938)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <hdonnay@HIDDEN>) id 1cJSaI-0008Ir-SN
 for bug-guix@HIDDEN; Tue, 20 Dec 2016 17:08:34 -0500
Received: by mail-qk0-x232.google.com with SMTP id u25so52786814qki.2
 for <bug-guix@HIDDEN>; Tue, 20 Dec 2016 14:08:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=ghf5sPrq1TH20Y920+1ryp5p90DfzYfeu2FaGl8UN4Y=;
 b=rbuZsPAQ9qdi/wz2srTAgOHMVLpv+tmYOSWpN3GbzFO2t4TfKrivnA6QyOzx92EQar
 ByOqB3cObc97xVgLFHOVfeWxadthqDuHU/X1UJzwPB+dnOIlNrbBqVJ7zX3HVKnocEqk
 sOTDoj2XvxJNFQNiiad9I4nRJtbrQlyP2Cu/ssYtRVn269CcbW6gS119v1P2rORITNAq
 iha5SbSECge3Tnw0uS2imFQ+1dL8a2ZoL11A0fayfftNL0aThmZM3dtkV2KwPaEgh3IU
 nwzgStjLv83/MzsGdRVYrkZ0E2zAFUKMQF7my2dgqF8fZNvGFAkoZ4MlYFEjzQc43NLf
 FStg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=ghf5sPrq1TH20Y920+1ryp5p90DfzYfeu2FaGl8UN4Y=;
 b=uMc4uzcHGtOu0GuHzjgEmF0QXXDqO26VuA/iBYVJspHILl8E/XTZ+X2eUe54QkkbJ5
 kCRW6c5GOUBZiVhrFVVPRVku/LtGvgiLvW/bmd9X3iLGg4hLLzenm47ufiimZqHMC9Gf
 JLcr+85fvYoZwwV1m6A+y8UeTerYPaQ7mFJchFMuXBAu7xgIoxRktIwx/6XeaBvgaG/z
 fArjwHfqZftQvDDnbkJNYb0fBOAyu5YoE6jofR5GW6kykhBWbR0yL0OLjEPLqZVLY7dq
 pQVFv48fJ+wKoxCHuxFLo4HsANpcveRfF8co3VcaQCRcFkp4IphdzMOqJmTJg5GtOoQl
 aQ0w==
X-Gm-Message-State: AIkVDXLeDPSw3j4kQTQYUWDBu+dQwKRYYYx/S+RIlPDhyYnFOPNcOj5C0E4Pwp8gbBkwJH1wzW8KwrAGZUzOxg==
X-Received: by 10.55.177.195 with SMTP id a186mr1876305qkf.89.1482271712814;
 Tue, 20 Dec 2016 14:08:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.151.17 with HTTP; Tue, 20 Dec 2016 14:08:32 -0800 (PST)
From: Hank Donnay <hdonnay@HIDDEN>
Date: Tue, 20 Dec 2016 17:08:32 -0500
Message-ID: <CAD4UWki6-7LWxP7tZruwi_ub6rew7uN0kss39-tUJrKyfsasSg@HIDDEN>
Subject: weechat-1.6: curl error 60
To: bug-guix@HIDDEN
Content-Type: multipart/alternative; boundary=94eb2c06137ae72a9005441e4661
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Tue, 20 Dec 2016 17:35:44 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

--94eb2c06137ae72a9005441e4661
Content-Type: text/plain; charset=UTF-8

Weechat seems to be unable to do HTTPS, and fails with "curl error 60".
Setting SSL_CERT_{DIR,FILE} doesn't make a difference. The actual error is:

    script: error downloading list of scripts: curl error 60 (server
certificate verification failed. CAfile: none CRLfile: none) (URL: "
https://weechat.org/files/plugins.xml.gz")

I have nss-certs installed, and the files pointed to
($GUIX_PROFILE/etc/ssl/certs and
$GUIX_PROFILE/etc/ssl/certs/ca-certificates.crt) both exist.

Any pointers on where to look to fix this would be appreciated.

--94eb2c06137ae72a9005441e4661
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Weechat seems to be unable to do HTTPS, and fail=
s with &quot;curl error 60&quot;. Setting SSL_CERT_{DIR,FILE} doesn&#39;t m=
ake a difference. The actual error is:<br><br>=C2=A0=C2=A0=C2=A0 script: er=
ror downloading list of scripts: curl error 60 (server certificate verifica=
tion failed. CAfile: none CRLfile: none) (URL: &quot;<a href=3D"https://wee=
chat.org/files/plugins.xml.gz">https://weechat.org/files/plugins.xml.gz</a>=
&quot;)<br><br></div>I have nss-certs installed, and the files pointed to (=
$GUIX_PROFILE/etc/ssl/certs and $GUIX_PROFILE/etc/ssl/certs/ca-certificates=
.crt) both exist.<br><br></div>Any pointers on where to look to fix this wo=
uld be appreciated.<br></div>

--94eb2c06137ae72a9005441e4661--




Acknowledgement sent to Hank Donnay <hdonnay@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#25240; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 25 Jan 2017 11:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.