libcurl does not honor SSL_CERT_DIR et al.

  • Done
  • quality assurance status badge
Details
3 participants
  • Hank Donnay
  • Jakub K?dzio?ka
  • Ludovic Courtès
Owner
unassigned
Submitted by
Hank Donnay
Severity
normal
H
H
Hank Donnay wrote on 20 Dec 2016 23:08
weechat-1.6: curl error 60
(address . bug-guix@gnu.org)
CAD4UWki6-7LWxP7tZruwi_ub6rew7uN0kss39-tUJrKyfsasSg@mail.gmail.com
Weechat seems to be unable to do HTTPS, and fails with "curl error 60".
Setting SSL_CERT_{DIR,FILE} doesn't make a difference. The actual error is:

script: error downloading list of scripts: curl error 60 (server
certificate verification failed. CAfile: none CRLfile: none) (URL: "

I have nss-certs installed, and the files pointed to
($GUIX_PROFILE/etc/ssl/certs and
$GUIX_PROFILE/etc/ssl/certs/ca-certificates.crt) both exist.

Any pointers on where to look to fix this would be appreciated.
Attachment: file
L
L
Ludovic Courtès wrote on 25 Jan 2017 12:10
(name . Hank Donnay)(address . hdonnay@gmail.com)(address . 25240@debbugs.gnu.org)
87o9yv1jli.fsf@gnu.org
Hello,

Hank Donnay <hdonnay@gmail.com> skribis:

Toggle quote (13 lines)
> Weechat seems to be unable to do HTTPS, and fails with "curl error 60".
> Setting SSL_CERT_{DIR,FILE} doesn't make a difference. The actual error is:
>
> script: error downloading list of scripts: curl error 60 (server
> certificate verification failed. CAfile: none CRLfile: none) (URL: "
> https://weechat.org/files/plugins.xml.gz")
>
> I have nss-certs installed, and the files pointed to
> ($GUIX_PROFILE/etc/ssl/certs and
> $GUIX_PROFILE/etc/ssl/certs/ca-certificates.crt) both exist.
>
> Any pointers on where to look to fix this would be appreciated.

Weechat uses libcurl, which uses GnuTLS and does not honor
‘SSL_CERT_DIR’, ‘SSL_CERT_FILE’, and ‘CURL_CA_BUNDLE’.

Instead, GnuTLS defaults to looking for certificates in /etc/ssl/certs,
and it is up to the application to search for certificates in additional
places.

This has been discussed at
but there’s no good solution yet.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 25 Jan 2017 12:10
control message for bug #25240
(address . control@debbugs.gnu.org)
87mvef1jky.fsf@gnu.org
retitle 25240 libcurl does not honor SSL_CERT_DIR et al.
J
J
Jakub K?dzio?ka wrote on 7 Feb 2020 20:10
Fixed on core-updates
(address . 25240-done@debbugs.gnu.org)
20200207191015.vnjzk2cw3du7cojq@gravity
A patch that fixes this landed on core-updates, see #38873. A follow-up
bug regarding some cleanup is #39415.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE5Xa/ss9usT31cTO54xWnWEYTFWQFAl49thcACgkQ4xWnWEYT
FWR3sQ//cmNCnva6H2q6RGpE39ZN8Ffafyk7IvaQX2nFBKDWLEIB1Fy4jq20Wr9v
Z4pO96bDVts+l8vxBQxabkR3yEUzD39YeQF9c71HebYdVEjUtBgs1XEjZgidPQzn
0VXedUIcK7U9xVQ3VA1aWwlLYXER5YN4JwBL2XIxK81otHIj7B2dwwx5lDL0VXHn
Vf9Qch6iISLmSMB+Vqv6iIUjWkA8QmZL1FpzQSLXbR/IjVJk0zmksD8yKtwl5592
+ZvIJ1PXIVPAxBJuBNr1EbryH/pK25zZfSuNgmaAk8/cVWocjS9WGIas5hi2URB7
nd02lfJQHKgR1ohffHaKL22AtWva8W40SxheENIoLh+8AJFwSrEDP5CilEcyQLa8
Ep49/hBnEG8cofSoR2qh3x1XDUmy8aYPpyE+A2HsbNfs6wDTf3KEWQEtYARiVIvu
M6cHtKelJjWMaXs63RudS42MU4xCCLd6afDa39JVQ4Q0lhoyd6geSoAMroV3FiuI
cPEscBw1fzOy2p8g9/bb8LbxmbAP751gbgGJ0DtqRlUmPcuCn8+O/bcOkUvMJGSy
gdJr15HmPj003Q8Zq2cMUIyxA5HQCmO4UkrCSZsEMJlXVJMMBC2RkbyFnqtWbsPC
Y6EeRvxgei3KvPv2itMpxD9AcAi35niEf3p8BXAovd4BZfQrzGo=
=5lze
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 25240@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 25240
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch