feh does encounter certificate errors with valid certificates

  • Done
  • quality assurance status badge
Details
4 participants
  • Ludovic Courtès
  • Marius Bakke
  • ng0
  • Ricardo Wurmus
Owner
unassigned
Submitted by
ng0
Severity
normal
N
N
ng0 wrote on 22 Oct 2017 22:33
(address . bug-guix@gnu.org)
20171022203339.qomgp4xm2rqh4zwe@abyayala
feh opens image

Problem:
user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
feh WARNING: https://i.imgur.com/263enxT.jpg- File does not exist
feh: No loadable images specified.
See 'man feh' for detailed usage information

nss etc are in my profile, no problem with other curl based applications.
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://www.infotropique.orghttps://ng0.infotropique.org
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlntAKMACgkQ4i+bv+40
hYi7Pg/+IRZi5bgVWsgDd84nSiTGWmC2D8w6Oi4Y7bruX9BdIXMS6nyMbx2wTpBL
OJr6Fsl3xkjFSDD2BBkNrlG5eLqraz3igEMNpQ5VzR+RvSwspSNdVnUqHrR/reZM
H7/Wr8qkvmN+30utM2yMS3yfRemGWY2Z8vwHE/aKZ2JLUus0Z2AyXTqXiAXeM5SO
cB9sGlmKvOCSkhsf2gn/jjlgeLiXKLNBxUHczG4XjRHtNijqgIYZ9m7FeomwmvU1
PCs0UIYD8jAFne2vdaynBX4HP1xVNgdaLO1kGSTV+xmthG6qzG0m4uMRi6EDCLxZ
MfLQ2aqKNG05I02rQoTKr4nib5r0K+xCKMlTnjRPL/8ODySwmwQc7+0oLJOZdUcb
9XpqO9eD7vrSqK41c6uTgl6AQc3E9NPrlsyDVN9KkcG8KODM0xnGQBl1+qyutrDJ
0NXvrfUfaJuH1/ncuBvA6SuAAuOxM6yGjrgmf9Xtksq6M/RL9BvvDmBuPiBr1Vb5
iy9fNK8xmBv89z958jnGO92PvksCwqvBkA/9fRv5k1mEu7DU4vScGcPysTDSXc5f
7COj60Iqz9jde4gXnymI/RetbEoxoXxEdCfz6Ez3bDsqLbGb8wQYf5kpky/2wyqS
941n2maJgY+EVmI8wtdYPHlyunvphb2ZMefkbjDnXbfxQAwuKz8=
=S0n8
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 29 Oct 2017 13:27
Re: bug#28948: feh does encounter certificate errors with valid certificates
871slm5eby.fsf@fastmail.com
ng0 <ng0@infotropique.org> writes:

Toggle quote (10 lines)
> feh opens image
>
> Problem:
> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
> feh: No loadable images specified.
> See 'man feh' for detailed usage information

This is the same issue with libcurl as has been discussed many times in
the past. Since it won't be fixed upstream any time soon (support for
CURL_CA_BUNDLE has been removed also for Windows), I suggest we "bite
the bullet" this time and add a hard-coded default.

I've verified that this patch works (on GuixSD):
From 2ae03883c2526965f1a93cf5c691c41f02dc14b4 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Fri, 9 Jun 2017 16:45:38 +0200
Subject: [PATCH] gnu: curl: Look up SSL certificates in /etc/ssl/certs by
default.

* gnu/packages/curl.scm (curl)[arguments]<#:configure-flags>: Add '--with-ca-path'.
<#:phases>: Delete test that tries to use it.
---
gnu/packages/curl.scm | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 2e4a48d1e..7248a6d40 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -67,7 +67,14 @@
("pkg-config" ,pkg-config)
("python" ,python-2)))
(arguments
- `(#:configure-flags '("--with-gnutls" "--with-gssapi")
+ `(#:configure-flags '("--with-gnutls" "--with-gssapi"
+ ;; Hard-code a default CA certificate path so that
+ ;; most things work "out of the box", at least on
+ ;; GuixSD and Debian-based distributions.
+ ;; libcurl does not support overriding this at runtime
+ ;; except through the API, and it's impractical to
+ ;; patch every application to respect CURL_CA_BUNDLE.
+ "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt")
;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
#:phases
(modify-phases %standard-phases
@@ -87,6 +94,10 @@
(substitute* "tests/runtests.pl"
(("/bin/sh") (which "sh")))
+ ;; XXX: This test fails because the default CA bundle path
+ ;; does not exist in the build environment.
+ (delete-file "tests/data/test324")
+
;; XXX FIXME: Test #1510 seems to work on some machines and not
;; others, possibly based on the kernel version. It works on GuixSD
;; on x86_64 with linux-libre-4.1, but fails on Hydra for both i686
--
2.14.3
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln1yTEACgkQoqBt8qM6
VPquBwgAvyCZgJuVsfOm08NVOJQyEMLycO1fdGtdjDB8rfAyjLdEH3/QYv+V/dSX
5edWyv2ThUnHTFxgJeYPW78sfT6IjZrth7pHBoIZVKBQ1yd8VpOYoZIsq+jbPNmB
SuMXuNB0KRebD95NZD4UGaZlPTSM7VT6kQxWIDvPUydWfzwZOAdK4x/ORA9yx8jk
04VVsMBwUS7VfsJarT4uibkS/Kw8gIv0pOH+gy0+gohDb9rDCYY8Hnq5v62NDYZY
ExBHrMMknyLoB3r5Zw3MHv3xgWzW71JT+vfAckwuPFiguAAkYjed28Bh+89Jbagc
dzphiEuqWOFY1OsPYT7oOvhXVg3vTQ==
=Brsk
-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 29 Oct 2017 22:35
Re: bug#28948: feh does encounter certificate errors with valid certificates
(name . Marius Bakke)(address . mbakke@fastmail.com)
87k1zdljro.fsf@elephly.net
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (17 lines)
> ng0 <ng0@infotropique.org> writes:
>
>> feh https://i.imgur.com/263enxT.jpg
>> feh opens image
>>
>> Problem:
>> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
>> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
>> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
>> feh: No loadable images specified.
>> See 'man feh' for detailed usage information
>
> This is the same issue with libcurl as has been discussed many times in
> the past. Since it won't be fixed upstream any time soon (support for
> CURL_CA_BUNDLE has been removed also for Windows), I suggest we "bite
> the bullet" this time and add a hard-coded default.

This would mean that individual users no longer have control over what
certificate authorities they want to trust.

Does anything speak against patching in support for the CURL_CA_BUNDLE
environment variable?

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
M
M
Marius Bakke wrote on 29 Oct 2017 23:00
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87tvyh4ntj.fsf@fastmail.com
Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (22 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> ng0 <ng0@infotropique.org> writes:
>>
>>> feh https://i.imgur.com/263enxT.jpg
>>> feh opens image
>>>
>>> Problem:
>>> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
>>> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
>>> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
>>> feh: No loadable images specified.
>>> See 'man feh' for detailed usage information
>>
>> This is the same issue with libcurl as has been discussed many times in
>> the past. Since it won't be fixed upstream any time soon (support for
>> CURL_CA_BUNDLE has been removed also for Windows), I suggest we "bite
>> the bullet" this time and add a hard-coded default.
>
> This would mean that individual users no longer have control over what
> certificate authorities they want to trust.

Check and mate. I never considered this, but that makes this patch a
non-starter.

Toggle quote (3 lines)
> Does anything speak against patching in support for the CURL_CA_BUNDLE
> environment variable?

No, it looks like the only option. Should set a good precedent. :-)
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln2T2gACgkQoqBt8qM6
VPokzQgAz3gY7N+vKJCtlTCP4KI+SYmnyq+V/78pbFpXvarSrpeXGWDqCwavk2+6
rcUgAk1jTtoSgOg+p/ikkb9M0mVtLbZJ258ILSiXdcwTJWZq2bwW0Ditwzv6fM8I
DS1JKYQ6QXuOB/ct1gJfYWZA4w9lq6BnLwNjutsTzA8jwz3vPbF/qMQaGBGj6edD
DuPen9cetAbud9sVL24mWC8i5Xhef+MMxDb1zjsVCoab9nZT75DavfkLZDb9W9KU
Imihk04ZF69hhg8e0ke48+xvrxkqBgV1p/vqmPTz7LZZCEfLZIc6VEFJQfjfE19h
HlvUm/1gyyclYPv0/dNz7VI91DcOVA==
=yqOY
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 30 Oct 2017 00:47
Re: bug#28948: feh does encounter certificate errors with valid certificates
87r2tl4iuz.fsf@fastmail.com
ng0 <ng0@infotropique.org> writes:

Toggle quote (12 lines)
> feh opens image
>
> Problem:
> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
> feh: No loadable images specified.
> See 'man feh' for detailed usage information
>
> nss etc are in my profile, no problem with other curl based applications.

The attached patch should fix the problem. Can you try it?
From cadea693c636affd0d4cc5749eb88b5408aac07f Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Mon, 30 Oct 2017 00:18:03 +0100
Subject: [PATCH] gnu: feh: Respect $CURL_CA_BUNDLE.

* gnu/packages/patches/feh-respect-CURL_CA_BUNDLE.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/image-viewers.scm (feh)[source]: Use it.
[native-search-paths]: New field.
---
gnu/local.mk | 1 +
gnu/packages/image-viewers.scm | 8 ++++++++
gnu/packages/patches/feh-respect-CURL_CA_BUNDLE.patch | 18 ++++++++++++++++++
3 files changed, 27 insertions(+)
create mode 100644 gnu/packages/patches/feh-respect-CURL_CA_BUNDLE.patch

Toggle diff (64 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 90dc7aec1..7a74501aa 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -616,6 +616,7 @@ dist_patch_DATA = \
%D%/packages/patches/fasthenry-spFactor.patch \
%D%/packages/patches/fcgi-2.4.0-gcc44-fixes.patch \
%D%/packages/patches/fcgi-2.4.0-poll.patch \
+ %D%/packages/patches/feh-respect-CURL_CA_BUNDLE.patch \
%D%/packages/patches/file-CVE-2017-1000249.patch \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/findutils-gnulib-multi-core.patch \
diff --git a/gnu/packages/image-viewers.scm b/gnu/packages/image-viewers.scm
index 9e93a97a9..98193063e 100644
--- a/gnu/packages/image-viewers.scm
+++ b/gnu/packages/image-viewers.scm
@@ -61,6 +61,7 @@
(method url-fetch)
(uri (string-append home-page
name "-" version ".tar.bz2"))
+ (patches (search-patches "feh-respect-CURL_CA_BUNDLE.patch"))
(sha256
(base32
"0azgpr4al2pi4858z4xh4lfz84cvzxw3n426fn7rz6cdj34q212j"))))
@@ -79,6 +80,13 @@
("libxt" ,libxt)
("libx11" ,libx11)
("libxinerama" ,libxinerama)))
+ (native-search-paths
+ ;; Respect the same options as the `curl` command-line client.
+ (list (search-path-specification
+ (variable "CURL_CA_BUNDLE")
+ (file-type 'regular)
+ (separator #f) ;single entry
+ (files '("etc/ssl/certs/ca-certificates.crt")))))
(synopsis "Fast and light imlib2-based image viewer")
(description
"feh is an X11 image viewer aimed mostly at console users.
diff --git a/gnu/packages/patches/feh-respect-CURL_CA_BUNDLE.patch b/gnu/packages/patches/feh-respect-CURL_CA_BUNDLE.patch
new file mode 100644
index 000000000..cbe2fa16d
--- /dev/null
+++ b/gnu/packages/patches/feh-respect-CURL_CA_BUNDLE.patch
@@ -0,0 +1,18 @@
+Make feh respect CURL_CA_BUNDLE similar to the `curl` tool.
+
+diff --git a/src/imlib.c b/src/imlib.c
+index dfb79aa..82a9865 100644
+--- a/src/imlib.c
++++ b/src/imlib.c
+@@ -429,6 +429,10 @@ static char *feh_http_load_image(char *url)
+ if (opt.insecure_ssl) {
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
++ } else {
++ // Allow the user to specify custom CA certificates.
++ curl_easy_setopt(curl, CURLOPT_CAINFO,
++ getenv("CURL_CA_BUNDLE"));
+ }
+
+ res = curl_easy_perform(curl);
+
--
2.14.3
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln2aIQACgkQoqBt8qM6
VPp+9ggAzeabk6OIgz8/96z1NviodLiMpYKeANxi8aVc3GLc7aFwvNTjGBXG5hTx
msqDnDzZ/kqEqpKcdVWsZ3lud/Bmdbq7osQLN8B4T4982VpYRdASDsyYo56gSWc6
B9RVo5i/erz+t69W+PgfRhWIEjjWF6WKlFY5OX8r4o/YTr/IG9oSbfOwiszhsoI+
jDTRSDvQajq8AhTQFdRp7Tp4f0o04E3YWHi87vH2iSnJNEOrtBSXq4F9Nhiue/jD
NxfBml+pjV9D0JeNxoZB/uE9y70s/xB/XSHXRmsUZloJrX5quyX7MAq5PHwu6t1q
0D4B037UxtQ2l/OsihskbfPnRJEm+A==
=zolM
-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 30 Oct 2017 09:02
Re: bug#28948: feh does encounter certificate errors with valid certificates
(name . Marius Bakke)(address . mbakke@fastmail.com)
87fua1kqqu.fsf@elephly.net
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (16 lines)
> ng0 <ng0@infotropique.org> writes:
>
>> feh https://i.imgur.com/263enxT.jpg
>> feh opens image
>>
>> Problem:
>> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
>> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
>> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
>> feh: No loadable images specified.
>> See 'man feh' for detailed usage information
>>
>> nss etc are in my profile, no problem with other curl based applications.
>
> The attached patch should fix the problem. Can you try it?

We’ve done something similar in r-curl IIRC. I wonder if we should just
patch libcurl, so that all users of libcurl would benefit from this change.

Toggle quote (14 lines)
> +diff --git a/src/imlib.c b/src/imlib.c
> +index dfb79aa..82a9865 100644
> +--- a/src/imlib.c
> ++++ b/src/imlib.c
> +@@ -429,6 +429,10 @@ static char *feh_http_load_image(char *url)
> + if (opt.insecure_ssl) {
> + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
> + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
> ++ } else {
> ++ // Allow the user to specify custom CA certificates.
> ++ curl_easy_setopt(curl, CURLOPT_CAINFO,
> ++ getenv("CURL_CA_BUNDLE"));
> + }

Is it safe to pass the empty string to curl_easy_setopt, in case
CURL_CA_BUNDLE is unset? Do we need to check the value first or can we
pass it without checking?

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
N
N
ng0 wrote on 30 Oct 2017 15:06
(name . Ricardo Wurmus)(address . rekado@elephly.net)
20171030140649.dt6n2v6i7im4rrx4@abyayala
Ricardo Wurmus transcribed 1.6K bytes:
Toggle quote (19 lines)
>
> Marius Bakke <mbakke@fastmail.com> writes:
>
> > ng0 <ng0@infotropique.org> writes:
> >
> >> feh https://i.imgur.com/263enxT.jpg
> >> feh opens image
> >>
> >> Problem:
> >> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
> >> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
> >> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
> >> feh: No loadable images specified.
> >> See 'man feh' for detailed usage information
> >>
> >> nss etc are in my profile, no problem with other curl based applications.
> >
> > The attached patch should fix the problem. Can you try it?

Thanks! I'll test it in the next couple of days.

Toggle quote (3 lines)
> We’ve done something similar in r-curl IIRC. I wonder if we should just
> patch libcurl, so that all users of libcurl would benefit from this change.

In my opinion that would be preferable.

Toggle quote (27 lines)
> > +diff --git a/src/imlib.c b/src/imlib.c
> > +index dfb79aa..82a9865 100644
> > +--- a/src/imlib.c
> > ++++ b/src/imlib.c
> > +@@ -429,6 +429,10 @@ static char *feh_http_load_image(char *url)
> > + if (opt.insecure_ssl) {
> > + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
> > + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
> > ++ } else {
> > ++ // Allow the user to specify custom CA certificates.
> > ++ curl_easy_setopt(curl, CURLOPT_CAINFO,
> > ++ getenv("CURL_CA_BUNDLE"));
> > + }
>
> Is it safe to pass the empty string to curl_easy_setopt, in case
> CURL_CA_BUNDLE is unset? Do we need to check the value first or can we
> pass it without checking?
>
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net
>
>
>

--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://www.infotropique.orghttps://ng0.infotropique.org
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAln3MfkACgkQ4i+bv+40
hYgvRA//QS+PfLhSgJVuCBG1xpk7I1I4sYpoIevKK7hVVxU959oBkdpNFGqCSy8M
xmjzQ7SZdF8g5eB7XN22KuzTW9YaDZWMu5L8i6rh7l0wg1kNyDuEsDu2+ETjNEpH
feXM2xpsYK8l3MQhFIq4MCHG8yl4PxzKbdf16XjXica9SYZK0qY0zeeC8Zxp0Ogq
joB1VRf3tQw1XyWp/4zdIVCP5hC9BkE3Gf57AwkR31l2WqR8VmCnnWOPcIcUs2MK
WDZkKxpJRkqH3+1EG5EsX/vKyREPnAUWDYUc/n0wFOrth4IjpeaaaExJBiKoxkBx
jSInt4Q4ERKvCxloCEKV79rmZ1fTbUP7LhJnJ214B2oRkiiVkZMbBxrozUSuyHh4
TzWRQIWoiDeERhR9peXqAO6Z60VBWL8Vm2v9yfQCfNFP3TeWhG8dyrNUzqt/+6UB
pR12EbbooHDBHyrykj6NZnmP2CFYxfnM22Shq+MxvYTfiSKVAC9F/S7fvQz56/Po
l+HQj+tW8xK+vOpu1sgoPi+8k2i8u+HVsK/rKU/sW82811cW76Rq/9d7G96QxKCq
VWJjenqA3fPFNUJ0Yh6iLDFrZ4EaTjczEM7STV4fWO3or7kGQww5HYB2fptl+zvR
WuhOcv6LVR17/mY5igOdqQdOJ0ONSzQIztIt7KrvEq10ieEl9L8=
=tKTL
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 1 Nov 2017 21:55
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87d1514t3u.fsf@fastmail.com
Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (21 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> ng0 <ng0@infotropique.org> writes:
>>
>>> feh https://i.imgur.com/263enxT.jpg
>>> feh opens image
>>>
>>> Problem:
>>> user@abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
>>> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
>>> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
>>> feh: No loadable images specified.
>>> See 'man feh' for detailed usage information
>>>
>>> nss etc are in my profile, no problem with other curl based applications.
>>
>> The attached patch should fix the problem. Can you try it?
>
> We’ve done something similar in r-curl IIRC. I wonder if we should just
> patch libcurl, so that all users of libcurl would benefit from this change.

IIRC the reason it's not supported in libcurl is because getenv() is not
thread-safe, whereas libcurl is designed to be.

Toggle quote (19 lines)
>
>> +diff --git a/src/imlib.c b/src/imlib.c
>> +index dfb79aa..82a9865 100644
>> +--- a/src/imlib.c
>> ++++ b/src/imlib.c
>> +@@ -429,6 +429,10 @@ static char *feh_http_load_image(char *url)
>> + if (opt.insecure_ssl) {
>> + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
>> + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
>> ++ } else {
>> ++ // Allow the user to specify custom CA certificates.
>> ++ curl_easy_setopt(curl, CURLOPT_CAINFO,
>> ++ getenv("CURL_CA_BUNDLE"));
>> + }
>
> Is it safe to pass the empty string to curl_easy_setopt, in case
> CURL_CA_BUNDLE is unset? Do we need to check the value first or can we
> pass it without checking?

getenv() returns NULL if the variable is unset. I'm not sure if it
would reset the default on other distros, but it makes no difference for
Guix since libcurl does not have a default CA bundle and handles NULL
here gracefully.

I submitted it upstream in hope of getting feedback/testing there, but
it was simply merged as-is: https://github.com/derf/feh/pull/340

I do agree that it's rather crude, will try to improve it a bit.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln6NKUACgkQoqBt8qM6
VPo0AQgAvSbyaMZiXV3FwNWLc052k+1KYObDE3forKAzKGC7dLtXQMts4/6T3qxb
/UQo2ocj4KeKlAyJoOZQFOQRFyusBehcWkvfnWxf7X6J8oRLNOuL/ebPHYVXanPN
fhjNl/70InKsx/emV6T5EV9dEQ8oVkAwALMQE2IWXOg0kCCXE03Hpop9qGgGYDHc
8TWBFnaEiWFgwcYK5/w7KfUv1p88e9+gZSiHTZCfZte1LdalRuSERGdvBGORKNw4
Fc5O6iuFmgdz9wORdIHHysib8W1sGveSFoYPCluFj8+gCMl+eV2zwblvY4NvHNWf
qaEQatI2/tKcFMLRQZoBkfT5nf5L6g==
=wxqf
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 5 Nov 2017 16:21
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87lgjkhhuc.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (5 lines)
> I submitted it upstream in hope of getting feedback/testing there, but
> it was simply merged as-is: <https://github.com/derf/feh/pull/340>
>
> I do agree that it's rather crude, will try to improve it a bit.

Feh 2.22 has been released with this patch, so I pushed the
native-search-path update with it.

I think we should add the CURL_CA_BUNDLE search path to the "curl"
package too so that we can control it on foreign distros (it seems to
opportunistically search /etc/ssl/certs), and make libcurl users that
implement it inherit from curl using (package-native-search-paths ...).

I'll do that on 'core-updates' in a few days if no further comments.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln/LGsACgkQoqBt8qM6
VPrBaAgAjQcuQzqigM+dAb8lEXY65gnOhVQuvXS2LcbfYHC2LnMVLxAHHP0fEyY6
bfB5Ztw8NHufaMn1iUi9LxNsMvXX1CKhVuJhzi9FJ2x7Nl5CdHqFS4jmNZ4bandk
D+BR8WnR6xjlT7Uv2HhR3M+b2ZosS59on0heJztsjih9Q5sHgrSja7RMsQAXiQDG
cbjxS2m+1dky07dGox/APmj//Woy+JDPLpo9Q+iYmUOuc8L2pHSb569SEnGCOqh5
JjljVxv1fgK0UO/eWpx1vI1rcx0xZRSM1oAFp6XgrA2iNfKpcgoba5RSZXVU8OS3
TDen0l5ZiEcxfUsNkhVewy+uiuXUlA==
=8+wZ
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 5 Nov 2017 17:14
(address . 28948@debbugs.gnu.org)
87tvy8pusw.fsf@gnu.org
Marius Bakke <mbakke@fastmail.com> skribis:

Toggle quote (10 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> I submitted it upstream in hope of getting feedback/testing there, but
>> it was simply merged as-is: <https://github.com/derf/feh/pull/340>
>>
>> I do agree that it's rather crude, will try to improve it a bit.
>
> Feh 2.22 has been released with this patch, so I pushed the
> native-search-path update with it.

Neat.

Toggle quote (7 lines)
> I think we should add the CURL_CA_BUNDLE search path to the "curl"
> package too so that we can control it on foreign distros (it seems to
> opportunistically search /etc/ssl/certs), and make libcurl users that
> implement it inherit from curl using (package-native-search-paths ...).
>
> I'll do that on 'core-updates' in a few days if no further comments.

Sounds good!

Not entirely sure about duplicating the ‘native-search-paths’ in all the
users of libcurl: it’s inelegant, but OTOH it solves the problem, so
it’s definitely an improvement.

Thank you,
Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28948@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28948
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch