GNU bug report logs - #38873
[PATCH] gnu: curl: Make libcurl respect SSL_CERT_{DIR,FILE}

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Jakub Kądziołka <kuba@HIDDEN>; Keywords: patch; dated Thu, 2 Jan 2020 17:19:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 38873 <at> debbugs.gnu.org:


Received: (at 38873) by debbugs.gnu.org; 14 Jan 2020 16:59:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 14 11:59:33 2020
Received: from localhost ([127.0.0.1]:33493 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1irPXN-0006uF-Tq
	for submit <at> debbugs.gnu.org; Tue, 14 Jan 2020 11:59:33 -0500
Received: from pat.zlotemysli.pl ([37.59.186.212]:40494)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <kuba@HIDDEN>) id 1irPXJ-0006ty-Ks
 for 38873 <at> debbugs.gnu.org; Tue, 14 Jan 2020 11:59:29 -0500
Received: (qmail 17219 invoked by uid 1009); 14 Jan 2020 17:59:23 +0100
Received: from 188.123.215.55 (kuba@HIDDEN@188.123.215.55) by pat
 (envelope-from <kuba@HIDDEN>, uid 1002) with qmail-scanner-2.08st 
 (clamdscan: 0.98.6/25694. spamassassin: 3.4.0. perlscan: 2.08st.  
 Clear:RC:1(188.123.215.55):. 
 Processed in 0.026084 secs); 14 Jan 2020 16:59:23 -0000
Received: from unknown (HELO zdrowyportier.kadziolka.net)
 (kuba@HIDDEN@188.123.215.55)
 by pat.zlotemysli.pl with SMTP; 14 Jan 2020 17:59:23 +0100
Date: Tue, 14 Jan 2020 17:59:21 +0100
From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= <kuba@HIDDEN>
To: 38873 <at> debbugs.gnu.org
Subject: [PATCH v2 core-updates] curl: Make libcurl respect SSL_CERT_DIR,
 SSL_CERT_FILE
Message-ID: <20200114165921.epqysoaydxxqm5ye@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38873
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.
* gnu/packages/curl.scm (curl)[source]: Use the patch.
  [native-search-paths]: Add the new variables.
---
 gnu/packages/curl.scm                         | 20 ++++--
 .../patches/cmake-curl-certificates.patch     |  2 +
 .../kodi-set-libcurl-ssl-parameters.patch     |  2 +
 .../patches/libcurl-use-ssl-cert-env.patch    | 64 +++++++++++++++++++
 4 files changed, 84 insertions(+), 4 deletions(-)
 create mode 100644 gnu/packages/patches/libcurl-use-ssl-cert-env.patch

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index ee1cca449b..074ae32fb5 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@HIDDEN>
 ;;; Copyright © 2018 Roel Janssen <roel@HIDDEN>
 ;;; Copyright © 2019 Ricardo Wurmus <rekado@HIDDEN>
+;;; Copyright © 2020 Jakub Kądziołka <kuba@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -57,7 +58,8 @@
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0nh3j90w6b97wqcgxjfq55qhkz9s38955fbhwzv2fsi7483j895p"))))
+              "0nh3j90w6b97wqcgxjfq55qhkz9s38955fbhwzv2fsi7483j895p"))
+            (patches (search-patches "libcurl-use-ssl-cert-env.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -74,10 +76,20 @@
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)))
    (native-search-paths
-    ;; Note: This search path is respected by the `curl` command-line tool only.
-    ;; Ideally we would bake this into libcurl itself so other users can benefit,
-    ;; but it's not supported upstream due to thread safety concerns.
+    ;; Introduced by libcurl-use-ssl-cert-env.patch
     (list (search-path-specification
+           (variable "SSL_CERT_DIR")
+           (separator #f)                        ;single entry
+           (files '("etc/ssl/certs")))
+          (search-path-specification
+           (variable "SSL_CERT_FILE")
+           (file-type 'regular)
+           (separator #f)                        ;single entry
+           (files '("etc/ssl/certs/ca-certificates.crt")))
+    ;; Note: This search path is respected by the `curl` command-line tool only.
+    ;; Patching libcurl to read it too would bring no advantages and require
+    ;; maintaining a more complex patch.
+          (search-path-specification
            (variable "CURL_CA_BUNDLE")
            (file-type 'regular)
            (separator #f)                         ;single entry
diff --git a/gnu/packages/patches/cmake-curl-certificates.patch b/gnu/packages/patches/cmake-curl-certificates.patch
index 7fe2615271..e8cda5bd96 100644
--- a/gnu/packages/patches/cmake-curl-certificates.patch
+++ b/gnu/packages/patches/cmake-curl-certificates.patch
@@ -4,6 +4,8 @@ at all: <https://issues.guix.gnu.org/issue/37371>.
 This changes CMake such that commands honor SSL_CERT_FILE and SSL_CERT_DIR
 as well as /etc/ssl/certs.
 
+FIXME: This shouldn't be necessary anymore, see libcurl-use-ssl-cert-env.patch
+
 --- cmake-3.13.1/Source/cmCurl.cxx	2019-09-10 17:27:36.926907260 +0200
 +++ cmake-3.13.1/Source/cmCurl.cxx	2019-09-10 17:52:35.475903919 +0200
 @@ -2,11 +2,8 @@
diff --git a/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch b/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch
index 2f60737e30..98bff50712 100644
--- a/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch
+++ b/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch
@@ -1,6 +1,8 @@
 Kodi doesn't set the CAPATH and CAINFO parameters for libcurl. To make HTTPS
 connections work we can set them based on SSL_CERT_DIR and SSL_CERT_FILE.
 
+FIXME: This shouldn't be necessary anymore, see libcurl-use-ssl-cert-env.patch
+
 --- a/xbmc/filesystem/CurlFile.cpp
 +++ b/xbmc/filesystem/CurlFile.cpp
 @@ -626,5 +626,9 @@
diff --git a/gnu/packages/patches/libcurl-use-ssl-cert-env.patch b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..c8e80b4445
--- /dev/null
+++ b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.24.1





Information forwarded to guix-patches@HIDDEN:
bug#38873; Package guix-patches. Full text available.

Message received at 38873 <at> debbugs.gnu.org:


Received: (at 38873) by debbugs.gnu.org; 13 Jan 2020 22:57:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 13 17:57:39 2020
Received: from localhost ([127.0.0.1]:60366 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ir8eQ-0004nb-NK
	for submit <at> debbugs.gnu.org; Mon, 13 Jan 2020 17:57:38 -0500
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:42757)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@HIDDEN>) id 1ir8eO-0004nO-FL
 for 38873 <at> debbugs.gnu.org; Mon, 13 Jan 2020 17:57:37 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id D6F53223AC;
 Mon, 13 Jan 2020 17:57:30 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Mon, 13 Jan 2020 17:57:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm1; bh=1ZNjmBRjgzXnvoBuICkRD+vnqy
 5SPldxto96dcS8aKA=; b=sW/q4xFxl3f5AFvuhHrvX8aAYKvmy5HPmTNnYR/gRu
 EAUVnqL+tShBllOfaiWpBXkwUueTWChAcdR62AEGUSIZSN0WN4leTRLYHnQTJ9e5
 b0gMy+1CQBDqkoZVfmYyL0bMzdrm++vzggGSjO54MSBvH58wcDx8iMx/LBOArETH
 1rPaptIgIP8diF61V1r70EsZlHz+4oqfmt8/SsRZI7ckc+4Vvn5Nd1ovvQNNsXqm
 oYEuFseHHt2byCvFPwd+MHgUx8w94ojhUf3N1fL+q1X2Y6f8E8isH6o86TpjEKcQ
 +hkhY2VPmo2ZjEfAxtUGmOdkO97+G9mxBfj3c7SGTgEw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=1ZNjmB
 RjgzXnvoBuICkRD+vnqy5SPldxto96dcS8aKA=; b=ZXoVzbTUg6xlddtMEuM45x
 Q60I3Y0v9yxwwnyweqLxxqnDNOe/3aeVz47IvcEv9qLFN/Ldc4WMY+sjugWsF3kW
 CUn0+A1Pns4fUqrm07ED2HOlwPGM0/g/m+8VVsmwFa4uV9aQkTd7TbDBxqwV2dxY
 B5M1DA+EgSzMI9WrYfrE6qkXojrmrhOGjKRb/eeMPVk+TgWPLzy5aqYtYOk5zrBW
 rxQmPvfMlj5g//aWGGiGQiT1tjs/eP4FgNAi2b/rbzJ0Z+rbmqoL0WXkwxPQE/pp
 zLgVhEcLrXDGxmNucMy76CnnFCI5bfov7zRITnPlwZfJJ++bmtJ3sU24dukz+d7g
 ==
X-ME-Sender: <xms:2vUcXhYu0vh63JsmqN-6cyM8NTiF0zGWNipCw_wo4_Lc4Y0-3CHOGg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvdejuddgtdefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffujghffgffkfggtgesghdtre
 ertderjeenucfhrhhomhepofgrrhhiuhhsuceurghkkhgvuceomhgsrghkkhgvsehfrghs
 thhmrghilhdrtghomheqnecukfhppeekgedrvddtvddrieelrddvheefnecurfgrrhgrmh
 epmhgrihhlfhhrohhmpehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmnecuvehluhhs
 thgvrhfuihiivgeptd
X-ME-Proxy: <xmx:2vUcXm6hszaf8WQ11R8TJi71tOofrMvk47cA-93X2TA0Wr8LfvE94g>
 <xmx:2vUcXqyr6FjnsZVvQNuMb5DqjB6lu9qKM_6WBIfE9huddhU0X3ikaQ>
 <xmx:2vUcXvrrQyEYeINJrScAdG_JTt_ib1FlYiNAgsRyIYCLaltlRpPFsQ>
 <xmx:2vUcXt6fClWDQl79U25CZBkmYk__WgaQZhdQ6Y7-KxPecxTnaPEbIA>
Received: from localhost (ti0006q161-3035.bb.online.no [84.202.69.253])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3F22030600A8;
 Mon, 13 Jan 2020 17:57:30 -0500 (EST)
From: Marius Bakke <mbakke@HIDDEN>
To: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= <kuba@HIDDEN>,
 38873 <at> debbugs.gnu.org
Subject: Re: [bug#38873] [PATCH] gnu: curl: Make libcurl respect SSL_CERT_{DIR, FILE}
In-Reply-To: <20200102171826.v4j3d35ocx7tvp2j@HIDDEN>
References: <20200102171826.v4j3d35ocx7tvp2j@HIDDEN>
User-Agent: Notmuch/0.29.3 (https://notmuchmail.org) Emacs/26.3
 (x86_64-pc-linux-gnu)
Date: Mon, 13 Jan 2020 23:57:28 +0100
Message-ID: <871rs3vuav.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 38873
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Jakub K=C4=85dzio=C5=82ka <kuba@HIDDEN> writes:

> * gnu/packages/curl.scm (curl-7.66.0): Use patch.
> * gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.
>
> This fixes the SSL errors occuring when trying to use rust:cargo's
> download functionality.
>
> As an additional advantage, this will probably allow removing some
> package-specific work-arounds that have already been made. I have
> found such work-arounds in cmake and kodi, but am not familiar enough
> with either to confidently remove them.

Thanks!  We should probably adjust the (native-search-paths ...) field
of cURL to account for these new variables too.  Can you also rebase it
on 'core-updates'?

From=20reading the upstream discussion, there does not seem to be any
inherent problems with the patch.  So, LGTM.  Are you willing to
maintain it when it inevitably requires porting to newer versions?  :-)

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl4c9dgACgkQoqBt8qM6
VPoYIQgAzZvo3VWMAcId3YFlqfyG6XbYz0jsue7a/25aImQ/UU2lJ3nGs6tpCL7x
wulW/Cd7CRa/Pnbn4IqAv3hZqt4DrDsA/d4qVFAUNbBrtm5NzgIJc53UqavzxVpj
g2AVrgex4QjQONnOatwdXtPUF/dJ9steAodmstVlrFE8xZMM09x+S62ng6S18g0L
GewVkzbk/jAO6hytItwq6TsXFXiY4uH5B9naVRiRoSB7pDIKPm4623jAIPiNgzrs
0toARGrTxQ4HeXDAYuLPk957Be533z1VtHteo2kN+JgdYZTq4W/8dI59Pf+65SjB
fBgt2dk/NsdYQPJUbXthCjJfh1I3qQ==
=lDnc
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#38873; Package guix-patches. Full text available.

Message received at 38873 <at> debbugs.gnu.org:


Received: (at 38873) by debbugs.gnu.org; 12 Jan 2020 16:32:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 12 11:32:53 2020
Received: from localhost ([127.0.0.1]:57850 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iqgAW-0001EX-Un
	for submit <at> debbugs.gnu.org; Sun, 12 Jan 2020 11:32:53 -0500
Received: from pat.zlotemysli.pl ([37.59.186.212]:60034)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <kuba@HIDDEN>) id 1iqgAU-0001EO-VP
 for 38873 <at> debbugs.gnu.org; Sun, 12 Jan 2020 11:32:51 -0500
Received: (qmail 5641 invoked by uid 1009); 12 Jan 2020 17:32:48 +0100
Received: from 188.123.215.55 (kuba@HIDDEN@188.123.215.55) by pat
 (envelope-from <kuba@HIDDEN>, uid 1002) with qmail-scanner-2.08st 
 (clamdscan: 0.98.6/25691. spamassassin: 3.4.0. perlscan: 2.08st.  
 Clear:RC:1(188.123.215.55):. 
 Processed in 0.017372 secs); 12 Jan 2020 16:32:48 -0000
Received: from unknown (HELO zdrowyportier.kadziolka.net)
 (kuba@HIDDEN@188.123.215.55)
 by pat.zlotemysli.pl with SMTP; 12 Jan 2020 17:32:48 +0100
Date: Sun, 12 Jan 2020 17:32:47 +0100
From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= <kuba@HIDDEN>
To: 38873 <at> debbugs.gnu.org
Subject: Patch submitted upstream
Message-ID: <20200112163247.vu7gkehob3cpcql3@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38873
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

For reference: I have submitted this patch to curl itself, it seems that
they find this unnecessary to have upstream:
https://github.com/curl/curl/pull/4809




Information forwarded to guix-patches@HIDDEN:
bug#38873; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 2 Jan 2020 17:18:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 02 12:18:35 2020
Received: from localhost ([127.0.0.1]:39972 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1in47H-0002lV-18
	for submit <at> debbugs.gnu.org; Thu, 02 Jan 2020 12:18:35 -0500
Received: from lists.gnu.org ([209.51.188.17]:42630)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <kuba@HIDDEN>) id 1in47F-0002lO-EO
 for submit <at> debbugs.gnu.org; Thu, 02 Jan 2020 12:18:33 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:35121)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <kuba@HIDDEN>) id 1in47E-0007Oo-4z
 for guix-patches@HIDDEN; Thu, 02 Jan 2020 12:18:33 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <kuba@HIDDEN>) id 1in47C-0002uf-Po
 for guix-patches@HIDDEN; Thu, 02 Jan 2020 12:18:31 -0500
Received: from pat.zlotemysli.pl ([37.59.186.212]:41572)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <kuba@HIDDEN>) id 1in47C-0002u1-FX
 for guix-patches@HIDDEN; Thu, 02 Jan 2020 12:18:30 -0500
Received: (qmail 2820 invoked by uid 1009); 2 Jan 2020 18:18:28 +0100
Received: from 188.123.215.55 (kuba@HIDDEN@188.123.215.55) by pat
 (envelope-from <kuba@HIDDEN>, uid 1002) with qmail-scanner-2.08st 
 (clamdscan: 0.98.6/25681. spamassassin: 3.4.0. perlscan: 2.08st.  
 Clear:RC:1(188.123.215.55):. 
 Processed in 0.023429 secs); 02 Jan 2020 17:18:28 -0000
Received: from unknown (HELO zdrowyportier.kadziolka.net)
 (kuba@HIDDEN@188.123.215.55)
 by pat.zlotemysli.pl with SMTP; 2 Jan 2020 18:18:28 +0100
Date: Thu, 2 Jan 2020 18:18:26 +0100
From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= <kuba@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] gnu: curl: Make libcurl respect SSL_CERT_{DIR,FILE}
Message-ID: <20200102171826.v4j3d35ocx7tvp2j@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 37.59.186.212
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* gnu/packages/curl.scm (curl-7.66.0): Use patch.
* gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.

This fixes the SSL errors occuring when trying to use rust:cargo's
download functionality.

As an additional advantage, this will probably allow removing some
package-specific work-arounds that have already been made. I have
found such work-arounds in cmake and kodi, but am not familiar enough
with either to confidently remove them.
---
 gnu/packages/curl.scm                         |  4 +-
 .../patches/libcurl-use-ssl-cert-env.patch    | 61 +++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libcurl-use-ssl-cert-env.patch

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index aa5d24c401..c5cd88ec2e 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@HIDDEN>
 ;;; Copyright © 2018 Roel Janssen <roel@HIDDEN>
 ;;; Copyright © 2019 Ricardo Wurmus <rekado@HIDDEN>
+;;; Copyright © 2020 Jakub Kądziołka <kuba@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -153,7 +154,8 @@ tunneling, and so on.")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1hcqxpibhknhjy56wcxz5vd6m9ggx3ykwp3wp5wx05ih36481d6v"))))))
+                "1hcqxpibhknhjy56wcxz5vd6m9ggx3ykwp3wp5wx05ih36481d6v"))
+              (patches (search-patches "libcurl-use-ssl-cert-env.patch"))))))
 
 (define-public kurly
   (package
diff --git a/gnu/packages/patches/libcurl-use-ssl-cert-env.patch b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..a68e64adc1
--- /dev/null
+++ b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
@@ -0,0 +1,61 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.24.1





Acknowledgement sent to Jakub Kądziołka <kuba@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#38873; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 14 Jan 2020 17:00:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.