Hello,
the attached patch does the same thing as we just pushed for gnutls:
It sets the global certificate store to files and directories inside
/etc/ssl. It should be applied after the update to 1.0.2, which I am
trying to have built by hydra on the wip-openssl branch (except that hydra
refuses to evaluate this for the last few hours, did I make a mistake?).
I tried youtube-dl with it, and it works now out of the box with the
certificates that debian puts into /etc/ssl/certs/.
Unless there are complaints, I would like to push it to master once hydra
has built enough packages with it.
In the long run, we might wish to apply a mixture of the two attached
patches from nix: They take the certificate location from the environment
variable OPENSSL_X509_CERT_FILE if it is defined, and only if the binary
is not setuid. The patch concerns only the cert file, a file with lots
of certificates concatenated; I would rather be in favour of patching the
next function, X509_get_default_cert_dir_env, which defines a directory
with lots of separate certificates. These could come from separate
certificate packages. We could then also add a search path to set the
environment variable.
Andreas
>From 7e54dd89d698d1209f9cc2cfde95f9f6fd0ecbaf Mon Sep 17 00:00:00 2001
From: Andreas Enge <andr...@enge.fr>
Date: Sat, 7 Feb 2015 13:14:27 +0100
Subject: [PATCH] gnu: openssl: Use /etc/ssl as the base directory for
certificates.
* gnu/packages/openssl.scm (openssl)[source]: Add a snippet to use
/etc/ssl/certs/ as the directory and /etc/ssl/cert.pem as the
file where certificates are searched.
---
gnu/packages/openssl.scm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/openssl.scm b/gnu/packages/openssl.scm
index 34e1351..b6dfe6d 100644
--- a/gnu/packages/openssl.scm
+++ b/gnu/packages/openssl.scm
@@ -36,7 +36,13 @@
".tar.gz"))
(sha256
(base32
- "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c"))))
+ "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c"))
+ (modules '((guix build utils))) ; for substitute*
+ (snippet
+ '(begin
+ ;; Use /etc/ssl as the base directory for certificates.
+ (substitute* "crypto/cryptlib.h"
+ (("OPENSSLDIR") "\"/etc/ssl\""))))))
(build-system gnu-build-system)
(native-inputs `(("perl" ,perl)))
(arguments
--
2.2.1
diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c
openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000
+0200
+++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609
+0200
@@ -57,6 +57,10 @@
*/
#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <unistd.h>
+#include <sys/types.h>
#include "cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/x509.h>
@@ -71,7 +75,25 @@
{ return(X509_CERT_DIR); }
const char *X509_get_default_cert_file(void)
- { return(X509_CERT_FILE); }
+ {
+ static char buf[PATH_MAX] = X509_CERT_FILE;
+ static int init = 0;
+ if (!init) {
+ init = 1;
+ char * s = getenv("OPENSSL_X509_CERT_FILE");
+ if (s) {
+#ifndef OPENSSL_SYS_WINDOWS
+ if (getuid() == geteuid()) {
+#endif
+ strncpy(buf, s, sizeof(buf));
+ buf[sizeof(buf) - 1] = 0;
+#ifndef OPENSSL_SYS_WINDOWS
+ }
+#endif
+ }
+ }
+ return buf;
+ }
const char *X509_get_default_cert_dir_env(void)
{ return(X509_CERT_DIR_EVP); }
This patch, to be applied after `cert-file.patch', fixes compilation
on GNU/Hurd where `PATH_MAX' is not defined.
diff -ubB --show-c-function openssl-1.0.0e/crypto/x509/x509_def.c.orig
openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e/crypto/x509/x509_def.c.orig 2012-01-06 00:08:48.000000000
+0100
+++ openssl-1.0.0e/crypto/x509/x509_def.c 2012-01-06 00:11:29.000000000
+0100
@@ -58,6 +58,7 @@
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#include <limits.h>
#include <unistd.h>
#include <sys/types.h>
@@ -76,14 +77,16 @@ const char *X509_get_default_cert_dir(vo
const char *X509_get_default_cert_file(void)
{
- static char buf[PATH_MAX] = X509_CERT_FILE;
+ static char *buf;
static int init = 0;
if (!init) {
init = 1;
char * s = getenv("OPENSSL_X509_CERT_FILE");
if (s && getuid() == geteuid()) {
- strncpy(buf, s, sizeof(buf));
- buf[sizeof(buf) - 1] = 0;
+ buf = strdup(s);
+ }
+ if (!s) {
+ buf = strdup(X509_CERT_FILE);
}
}
return buf;
