Bug 9884 - (int-163975) libcurl doesn't use the system ca-certificates bundle
(int-163975)
: libcurl doesn't use the system ca-certificates bundle
Status: NEW
Product: Connectivity
UPnP
: 5.0/(3.2010.02-8)
: All Maemo
: Unspecified normal with 1 vote (vote)
: ---
Assigned To: unassigned
: connectivity-upnp-bugs
:
: security
:
:
  Show dependency tree
 
Reported: 2010-04-09 21:10 UTC by Ted Mielczarek
Modified: 2012-01-21 16:04 UTC (History)
3 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Ted Mielczarek (reporter) 2010-04-09 21:10:10 UTC
SOFTWARE VERSION:
Maemo 5
Version: 1.2009.42-11.002

EXACT STEPS LEADING TO PROBLEM: 
Compile the following source using g++ -o curltest -lcurl curltest.cpp
--- curltest.cpp ---
#include <stdio.h>
#include <curl/curl.h>
#include <curl/easy.h>
#include <curl/types.h>

int main(int argc, char** argv)
{
  CURL* curl = curl_easy_init();
  if (!curl) {
    fprintf(stderr,"Error in curl_easy_init\n");
    return 1;
  }
  const char* url = "https://crash-reports.mozilla.com/submit";
  curl_easy_setopt(curl, CURLOPT_URL, url); 
 CURLcode err = curl_easy_perform(curl);
  if (err != CURLE_OK) {
    fprintf(stderr, "Failed: %s\n", curl_easy_strerror(err));
  }
  else {
    long response;
    curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &response);
    printf("Got HTTP %ld\n", response);
 }
  curl_easy_cleanup(curl);
  return 0;
}
---
execute ./curltest on an N900

EXPECTED OUTCOME:
Got HTTP 302

ACTUAL OUTCOME:
Failed: Problem with the SSL CA cert (path? access rights?)

REPRODUCIBILITY:
always

OTHER COMMENTS:
This was previously filed as bug 3003, in which it was stated that Diablo did
not officially support libcurl. I've heard that this may be different in
Fremantle. Is this still unsupported? If it's supported, it should have a
usable set of CA certificates.
Comment 1 Ted Mielczarek (reporter) 2010-04-09 21:11:58 UTC
This was a problem for us as Mozilla's crash reporter uses libcurl to submit
reports:
https://bugzilla.mozilla.org/show_bug.cgi?id=557113
Comment 2 Lucas Maneos 2010-04-09 22:04:29 UTC
Thanks for the report, confirmed also on 3.2010.02-8 (and this time libcurl3 is
part of the official distribution, depended on by mp-fremantle-generic-pr).

Having said that, I don't think the right solution is to ship another ca bundle
(cf <http://curl.haxx.se/docs/faq.html#Why_don_t_you_update_ca_bundle_c>). 
Rather libcurl should use the existing one by default.  An appropriate
--with-ca-path configure option might do the trick (not tested).

In the meantime, bug 9355 is related.  The workaround described there doesn't
seem to help (even though the Maemo libcurl is configured to use openssl), but
adding:

  curl_easy_setopt(curl, CURLOPT_CAPATH,
"/etc/certs/common-ca:/home/user/.maemosec-certs/ssl-ca");

to the test case does:

~ $ /tmp/curltest2                        
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="http://crash-stats.mozilla.com">here</a>.</p>
</body></html>
Got HTTP 302
Comment 3 Ted Mielczarek (reporter) 2010-04-09 23:54:50 UTC
Thanks, that workaround does work, but we're supporting the N810 as well, and
it won't work there. I think we're just going to ship a PEM copy of our own
cert bundle to point libcurl at.
Comment 4 Lucas Maneos 2010-04-10 11:40:00 UTC
(In reply to comment #3)
> Thanks, that workaround does work, but we're supporting the N810 as well, and
> it won't work there.

True, the Diablo certificate store is even messier (the CA certs are stored in
a berkeley DB file,
<http://maemo.org/maemo_release_documentation/maemo4.1.x/node8.html#SECTION008120000000000000000>
has the details) so getting libcurl to use it seems like a lost cause.

Continuing support for Diablo is very much appreciated btw, thanks!