maemo.org Bugzilla – Bug 9884
libcurl doesn't use the system ca-certificates bundle
Last modified: 2012-01-21 16:04:52 UTC
You need to log in before you can comment on or make changes to this bug.
SOFTWARE VERSION: Maemo 5 Version: 1.2009.42-11.002 EXACT STEPS LEADING TO PROBLEM: Compile the following source using g++ -o curltest -lcurl curltest.cpp --- curltest.cpp --- #include <stdio.h> #include <curl/curl.h> #include <curl/easy.h> #include <curl/types.h> int main(int argc, char** argv) { CURL* curl = curl_easy_init(); if (!curl) { fprintf(stderr,"Error in curl_easy_init\n"); return 1; } const char* url = "https://crash-reports.mozilla.com/submit"; curl_easy_setopt(curl, CURLOPT_URL, url); CURLcode err = curl_easy_perform(curl); if (err != CURLE_OK) { fprintf(stderr, "Failed: %s\n", curl_easy_strerror(err)); } else { long response; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &response); printf("Got HTTP %ld\n", response); } curl_easy_cleanup(curl); return 0; } --- execute ./curltest on an N900 EXPECTED OUTCOME: Got HTTP 302 ACTUAL OUTCOME: Failed: Problem with the SSL CA cert (path? access rights?) REPRODUCIBILITY: always OTHER COMMENTS: This was previously filed as bug 3003, in which it was stated that Diablo did not officially support libcurl. I've heard that this may be different in Fremantle. Is this still unsupported? If it's supported, it should have a usable set of CA certificates.
This was a problem for us as Mozilla's crash reporter uses libcurl to submit reports: https://bugzilla.mozilla.org/show_bug.cgi?id=557113
Thanks for the report, confirmed also on 3.2010.02-8 (and this time libcurl3 is part of the official distribution, depended on by mp-fremantle-generic-pr). Having said that, I don't think the right solution is to ship another ca bundle (cf <http://curl.haxx.se/docs/faq.html#Why_don_t_you_update_ca_bundle_c>). Rather libcurl should use the existing one by default. An appropriate --with-ca-path configure option might do the trick (not tested). In the meantime, bug 9355 is related. The workaround described there doesn't seem to help (even though the Maemo libcurl is configured to use openssl), but adding: curl_easy_setopt(curl, CURLOPT_CAPATH, "/etc/certs/common-ca:/home/user/.maemosec-certs/ssl-ca"); to the test case does: ~ $ /tmp/curltest2 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://crash-stats.mozilla.com">here</a>.</p> </body></html> Got HTTP 302
Thanks, that workaround does work, but we're supporting the N810 as well, and it won't work there. I think we're just going to ship a PEM copy of our own cert bundle to point libcurl at.
(In reply to comment #3) > Thanks, that workaround does work, but we're supporting the N810 as well, and > it won't work there. True, the Diablo certificate store is even messier (the CA certs are stored in a berkeley DB file, <http://maemo.org/maemo_release_documentation/maemo4.1.x/node8.html#SECTION008120000000000000000> has the details) so getting libcurl to use it seems like a lost cause. Continuing support for Diablo is very much appreciated btw, thanks!