config_host/config_crypto.h.in | 2 ++
configure.ac | 3 +++
include/curlinit.hxx | 23 +----------------------
include/opensslinit.hxx | 41 +++++++++++++++++++++++++++++++++++++++++
vcl/source/app/svmain.cxx | 21 +++++++++++++++++++++
5 files changed, 68 insertions(+), 22 deletions(-)
New commits:
commit 4961f1d7173101a64b77a1e8d38f53ed0625bc68
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Nov 8 14:50:26 2023 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Fri Nov 10 17:47:05 2023 +0100
vcl,openssl: set SSL_CERT_FILE for bundled OpenSSL
OpenSSL may read a CA certificate file from $SSL_CERT_FILE, if the
client library calls SSL_CTX_set_default_verify_paths(); python's ssl
module does it but apparently libcurl does not.
So split the code from commit 3fc632c0261c75fb4079a5305e814698e791f75c
and set the environment variable in ImplSVMain(), hopefully before
any threads are spawned; seems to work for PyMailSMTPService.
This needs to have SYSTEM_OPENSSL available in a config header.
Change-Id: I63b747cb61bb236cf4f605bb9858e5b0083388fe
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159149
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 1472e2d68b9cff43b99069d3ba9439fff0a5684c)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159283
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
diff --git a/config_host/config_crypto.h.in b/config_host/config_crypto.h.in
index 106485d55213..33877f99af36 100644
--- a/config_host/config_crypto.h.in
+++ b/config_host/config_crypto.h.in
@@ -33,4 +33,6 @@
#endif
+#undef SYSTEM_OPENSSL
+
/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s
cinkeys+=0=break: */
diff --git a/configure.ac b/configure.ac
index 27d297d7056b..7f96cce66ae9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -11108,6 +11108,9 @@ if test "$enable_openssl" = "yes"; then
OPENSSL_LIBS="-lssl -lcrypto"
else
libo_CHECK_SYSTEM_MODULE([openssl],[OPENSSL],[openssl])
+ if test -n "${SYSTEM_OPENSSL}"; then
+ AC_DEFINE([SYSTEM_OPENSSL])
+ fi
fi
if test "$with_system_openssl" = "yes"; then
AC_MSG_CHECKING([whether openssl supports SHA512])
diff --git a/include/curlinit.hxx b/include/curlinit.hxx
index 8b3a9968419d..18888cf766f9 100644
--- a/include/curlinit.hxx
+++ b/include/curlinit.hxx
@@ -14,28 +14,7 @@
#if defined(LINUX) && !defined(SYSTEM_CURL)
#include <com/sun/star/uno/RuntimeException.hpp>
-#include <unistd.h>
-
-static char const* GetCABundleFile()
-{
- // try system ones first; inspired by:
- //
https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
- auto const candidates = {
- "/etc/pki/tls/certs/ca-bundle.crt",
- "/etc/pki/tls/certs/ca-bundle.trust.crt",
- "/etc/ssl/certs/ca-certificates.crt",
- "/var/lib/ca-certificates/ca-bundle.pem",
- };
- for (char const* const candidate : candidates)
- {
- if (access(candidate, R_OK) == 0)
- {
- return candidate;
- }
- }
-
- throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
-}
+#include "opensslinit.hxx"
static void InitCurl_easy(CURL* const pCURL)
{
diff --git a/include/opensslinit.hxx b/include/opensslinit.hxx
new file mode 100644
index 000000000000..9c3f4c860895
--- /dev/null
+++ b/include/opensslinit.hxx
@@ -0,0 +1,41 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4;
fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <config_crypto.h>
+
+#if defined(LINUX) && !defined(SYSTEM_OPENSSL)
+#include <com/sun/star/uno/RuntimeException.hpp>
+
+#include <unistd.h>
+
+static char const* GetCABundleFile()
+{
+ // try system ones first; inspired by:
+ //
https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ auto const candidates = {
+ "/etc/pki/tls/certs/ca-bundle.crt",
+ "/etc/pki/tls/certs/ca-bundle.trust.crt",
+ "/etc/ssl/certs/ca-certificates.crt",
+ "/var/lib/ca-certificates/ca-bundle.pem",
+ };
+ for (char const* const candidate : candidates)
+ {
+ if (access(candidate, R_OK) == 0)
+ {
+ return candidate;
+ }
+ }
+
+ throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
+}
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s
cinkeys+=0=break: */
diff --git a/vcl/source/app/svmain.cxx b/vcl/source/app/svmain.cxx
index 2838cfc3a63c..aaf6a602cb14 100644
--- a/vcl/source/app/svmain.cxx
+++ b/vcl/source/app/svmain.cxx
@@ -81,6 +81,7 @@
#include <config_features.h>
#include <config_feature_opencl.h>
+#include <opensslinit.hxx>
#include <osl/process.h>
#include <com/sun/star/lang/XComponent.hpp>
@@ -191,6 +192,26 @@ int ImplSVMain()
int nReturn = EXIT_FAILURE;
const bool bWasInitVCL = IsVCLInit();
+
+#if defined(LINUX) && !defined(SYSTEM_OPENSSL)
+ if (!bWasInitVCL)
+ {
+ try // to point bundled OpenSSL to some system certificate file
+ { // ... this only works if the client actually calls
+ // SSL_CTX_set_default_verify_paths() or similar; e.g. python ssl.
+ char const*const path = GetCABundleFile();
+ OUString const name("SSL_CERT_FILE");
+ OUString const filepath(::rtl::OStringToOUString(
+ ::std::string_view(path), osl_getThreadTextEncoding()));
+ osl_setEnvironment(name.pData, filepath.pData);
+ }
+ catch (uno::RuntimeException const& e)
+ {
+ SAL_WARN("vcl", e.Message);
+ }
+ }
+#endif
+
const bool bInit = bWasInitVCL || InitVCL();
int nRet = 0;
if (!bWasInitVCL && bInit && pSVData->mpDefInst->SVMainHook(&nRet))
