On Wed, 14 Sept 2022 at 11:19, Alexander Kanavin <alex.kana...@gmail.com> wrote: > I can only think of patching openssl to pick up a oe-specific > environment variable pointing to staging_libdir_native - making a > wrapper for every native binary that sets those variables doesn't seem > feasible.
Hmm. I'm a bit worried that things like git, subversion, http clients using openssl shared libraries are not configured correctly to check certificates. The default use cases in shared library work, only the legacy module is tricky to find. But config and certificate store are tricky. Basically without the cert paths TLS connections don't verify verify: # OPENSSL_CONF="" OPENSSL_ENGINES="" OPENSSL_MODULES="" SSL_CERT_DIR="" SSL_CERT_FILE="" openssl.real s_client -connect www.google.com:443 < /dev/null | grep ^Verification depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 verify return:1 depth=0 CN = www.google.com verify return:1 DONE Verification error: unable to get local issuer certificate With the openssl wrapper and if those variables are set correcty for the native sysroot paths, then certs get verified: # openssl s_client -connect www.google.com:443 < /dev/null | grep ^Verification depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 verify return:1 depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 verify return:1 depth=0 CN = www.google.com verify return:1 DONE Verification: OK For example subversion-native doesn't work without the certs and hangs on the question: # OPENSSL_CONF="" OPENSSL_ENGINES="" OPENSSL_MODULES="" SSL_CERT_DIR="" SSL_CERT_FILE="" svn co https://www.google.com Error validating server certificate for 'https://www.google.com:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: www.google.com - Valid: from Aug 29 08:20:19 2022 GMT until Nov 21 08:20:18 2022 GMT - Issuer: GTS CA 1C3, Google Trust Services LLC, US - Fingerprint: BB:17:2A:6B:F5:43:2C:2B:53:D6:EC:11:21:D3:54:EF:9A:95:19:33 (R)eject, accept (t)emporarily or accept (p)ermanently? If the openssl variables are set it works: # set|grep SSL OPENSSL_CONF=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ssl-3/openssl.cnf OPENSSL_ENGINES=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/engines-3 OPENSSL_MODULES=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ossl-modules SSL_CERT_DIR=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ssl-3/certs SSL_CERT_FILE=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ssl-3/cert.pem # svn co https://www.google.com svn: E170013: Unable to connect to a repository at URL 'https://www.google.com' svn: E175015: The HTTP method 'OPTIONS' is not allowed on '/' Wrappers here and there doesn't seem like a good idea.. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170644): https://lists.openembedded.org/g/openembedded-core/message/170644 Mute This Topic: https://lists.openembedded.org/mt/93651845/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
