libcurl does not honor SSL_CERT_DIR et al.

  • Done
  • quality assurance status badge
Details
3 participants
  • Hank Donnay
  • Jakub K?dzio?ka
  • Ludovic Courtès
Owner
unassigned
Submitted by
Hank Donnay
Severity
normal
H
H
Hank Donnay wrote on 20 Dec 2016 23:08
weechat-1.6: curl error 60
(address . bug-guix@gnu.org)
CAD4UWki6-7LWxP7tZruwi_ub6rew7uN0kss39-tUJrKyfsasSg@mail.gmail.com
Weechat seems to be unable to do HTTPS, and fails with "curl error 60".
Setting SSL_CERT_{DIR,FILE} doesn't make a difference. The actual error is:

script: error downloading list of scripts: curl error 60 (server
certificate verification failed. CAfile: none CRLfile: none) (URL: "

I have nss-certs installed, and the files pointed to
($GUIX_PROFILE/etc/ssl/certs and
$GUIX_PROFILE/etc/ssl/certs/ca-certificates.crt) both exist.

Any pointers on where to look to fix this would be appreciated.
Attachment: file
L
L
Ludovic Courtès wrote on 25 Jan 2017 12:10
(name . Hank Donnay)(address . hdonnay@gmail.com)(address . 25240@debbugs.gnu.org)
87o9yv1jli.fsf@gnu.org
Hello,

Hank Donnay <hdonnay@gmail.com> skribis:

Toggle quote (13 lines)
> Weechat seems to be unable to do HTTPS, and fails with "curl error 60".
> Setting SSL_CERT_{DIR,FILE} doesn't make a difference. The actual error is:
>
> script: error downloading list of scripts: curl error 60 (server
> certificate verification failed. CAfile: none CRLfile: none) (URL: "
> https://weechat.org/files/plugins.xml.gz")
>
> I have nss-certs installed, and the files pointed to
> ($GUIX_PROFILE/etc/ssl/certs and
> $GUIX_PROFILE/etc/ssl/certs/ca-certificates.crt) both exist.
>
> Any pointers on where to look to fix this would be appreciated.

Weechat uses libcurl, which uses GnuTLS and does not honor
‘SSL_CERT_DIR’, ‘SSL_CERT_FILE’, and ‘CURL_CA_BUNDLE’.

Instead, GnuTLS defaults to looking for certificates in /etc/ssl/certs,
and it is up to the application to search for certificates in additional
places.

This has been discussed at
but there’s no good solution yet.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 25 Jan 2017 12:10
control message for bug #25240
(address . control@debbugs.gnu.org)
87mvef1jky.fsf@gnu.org
retitle 25240 libcurl does not honor SSL_CERT_DIR et al.
J
J
Jakub K?dzio?ka wrote on 7 Feb 2020 20:10
Fixed on core-updates
(address . 25240-done@debbugs.gnu.org)
20200207191015.vnjzk2cw3du7cojq@gravity
A patch that fixes this landed on core-updates, see #38873. A follow-up
bug regarding some cleanup is #39415.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE5Xa/ss9usT31cTO54xWnWEYTFWQFAl49thcACgkQ4xWnWEYT
FWR3sQ//cmNCnva6H2q6RGpE39ZN8Ffafyk7IvaQX2nFBKDWLEIB1Fy4jq20Wr9v
Z4pO96bDVts+l8vxBQxabkR3yEUzD39YeQF9c71HebYdVEjUtBgs1XEjZgidPQzn
0VXedUIcK7U9xVQ3VA1aWwlLYXER5YN4JwBL2XIxK81otHIj7B2dwwx5lDL0VXHn
Vf9Qch6iISLmSMB+Vqv6iIUjWkA8QmZL1FpzQSLXbR/IjVJk0zmksD8yKtwl5592
+ZvIJ1PXIVPAxBJuBNr1EbryH/pK25zZfSuNgmaAk8/cVWocjS9WGIas5hi2URB7
nd02lfJQHKgR1ohffHaKL22AtWva8W40SxheENIoLh+8AJFwSrEDP5CilEcyQLa8
Ep49/hBnEG8cofSoR2qh3x1XDUmy8aYPpyE+A2HsbNfs6wDTf3KEWQEtYARiVIvu
M6cHtKelJjWMaXs63RudS42MU4xCCLd6afDa39JVQ4Q0lhoyd6geSoAMroV3FiuI
cPEscBw1fzOy2p8g9/bb8LbxmbAP751gbgGJ0DtqRlUmPcuCn8+O/bcOkUvMJGSy
gdJr15HmPj003Q8Zq2cMUIyxA5HQCmO4UkrCSZsEMJlXVJMMBC2RkbyFnqtWbsPC
Y6EeRvxgei3KvPv2itMpxD9AcAi35niEf3p8BXAovd4BZfQrzGo=
=5lze
-----END PGP SIGNATURE-----


Closed
?