CMake’s “ctest” doesn’t know about X.509 certificates

  • Done
  • quality assurance status badge
Details
4 participants
  • Ludovic Courtès
  • Ludovic Courtès
  • Tobias Geerinckx-Rice
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 10 Sep 2019 17:37
CMake’s “ctest” doesn’t know about X.509 certificates
(address . bug-Guix@gnu.org)
87tv9k17so.fsf@inria.fr
Hello,

The ‘ctest’ command uses libcurl to submit reports to CDash servers.
However, it does not “getenv” anything related to CA certs, and it does
not either look at /etc/ssl/certs.

The culprit is this function:

Toggle snippet (36 lines)
std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile)
{
std::string e;
if (cafile && *cafile) {
::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
#ifdef CMAKE_FIND_CAFILE
# define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_FEDORA
else {
# define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_COMMON
# define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
}
# undef CMAKE_CAPATH_COMMON
}
#endif
return e;
}

The problem is that ‘CMAKE_FIND_CAFILE’ is undefined in our case:

Toggle snippet (7 lines)
#if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) && \
!defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
# define CMAKE_FIND_CAFILE
# include "cmSystemTools.h"
#endif

Thus it doesn’t look for certificates *at all*, and eventually fails
with:

Toggle snippet (6 lines)
Error when uploading file: …
Error message was: server certificate verification failed. CAfile: none CRLfile: none
Problems when submitting via HTTP
Errors while running CTest

For now I propose to provide a patched ‘cmake’ package that does the
right thing.

On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
directly in libcurl, which may be the better long-term solution (though
it’s unclear whether that could interfere with application logic.)

Ludo’.
R
R
Ricardo Wurmus wrote on 10 Sep 2019 18:35
Re: bug#37371: CMake’s “ctest” doesn’ t know about X.509 certificates
(address . 37371@debbugs.gnu.org)
877e6gqfd4.fsf@elephly.net
Ludovic Courtès <ludovic.courtes@inria.fr> writes:

Toggle quote (3 lines)
> The ‘ctest’ command uses libcurl to submit reports to CDash servers.
> However, it does not “getenv” anything related to CA certs, and it does
> not either look at /etc/ssl/certs.
[…]
Toggle quote (4 lines)
>
> For now I propose to provide a patched ‘cmake’ package that does the
> right thing.

This is the correct way, in my opinion. The user of libcurl is supposed
to handle environment variable lookup.

Toggle quote (4 lines)
> On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
> directly in libcurl, which may be the better long-term solution (though
> it’s unclear whether that could interfere with application logic.)

This idea has been around for a pretty long time. I don’t really like
it, but it would solve so many problems where users of libcurl don’t do
env var lookups and fall back to the default, which is not guaranteed to
exist when using Guix on foreign distros or even on Guix System.

--
Ricardo
T
T
Tobias Geerinckx-Rice wrote on 10 Sep 2019 19:05
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37371@debbugs.gnu.org)
87v9u0cca9.fsf@nckx
Ricardo,

Ricardo Wurmus ???
Toggle quote (4 lines)
> This is the correct way, in my opinion. The user of libcurl is
> supposed
> to handle environment variable lookup.

I'm aware of this, but it seems like some users don't do this.

Toggle quote (15 lines)
>> On #guix, Tobias also rightfully suggested adding a ‘getenv’
>> call
>> directly in libcurl, which may be the better long-term solution
>> (though
>> it’s unclear whether that could interfere with application
>> logic.)
>
> This idea has been around for a pretty long time. I don’t
> really like
> it, but it would solve so many problems where users of libcurl
> don’t do
> env var lookups and fall back to the default, which is not
> guaranteed to
> exist when using Guix on foreign distros or even on Guix System.

Yeah, I explicitly said it was evil ;-)

I don't ‘like’ it either, but don't know enough about libcurl to
think of a better solution.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXXfXzgAKCRANsP+IT1Vt
eegSAQDfSbev5GENWnSNMNV2h2IMPs8QvROx4yuJfcpA7tR4agEA9snV+VtXxvwq
IHjm2FGjoQkJTBn8YMRTFWwxbFi+rQA=
=lJGc
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 11 Sep 2019 00:13
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87pnk7yf3v.fsf@gnu.org
Hello,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (7 lines)
> Ricardo Wurmus ???
>> This is the correct way, in my opinion. The user of libcurl is
>> supposed
>> to handle environment variable lookup.
>
> I'm aware of this, but it seems like some users don't do this.

I’ve pushed this as 489d16577e4a6ccc30f3719d9263900089edd842.

We can revisit the libcurl issue later on (as we regularly do :-)).

Thanks for your feedback,
Ludo’.
Closed
?