But I'm not asking to make wrappers. I'm asking to patch openssl code itself to check for an oe-specific environment variable where it's making the decision where these things should be looked for. We already do this with native python.
Alex On Wed, 14 Sept 2022 at 10:43, Mikko Rapeli <mikko.rap...@linaro.org> wrote: > > On Wed, 14 Sept 2022 at 11:19, Alexander Kanavin <alex.kana...@gmail.com> > wrote: > > I can only think of patching openssl to pick up a oe-specific > > environment variable pointing to staging_libdir_native - making a > > wrapper for every native binary that sets those variables doesn't seem > > feasible. > > Hmm. I'm a bit worried that things like git, subversion, http clients > using openssl shared libraries are > not configured correctly to check certificates. > > The default use cases in shared library work, only the legacy module > is tricky to find. But config > and certificate store are tricky. > > Basically without the cert paths TLS connections don't verify verify: > > # OPENSSL_CONF="" OPENSSL_ENGINES="" OPENSSL_MODULES="" > SSL_CERT_DIR="" SSL_CERT_FILE="" openssl.real s_client -connect > www.google.com:443 < /dev/null | grep ^Verification > depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 > verify return:1 > depth=0 CN = www.google.com > verify return:1 > DONE > Verification error: unable to get local issuer certificate > > With the openssl wrapper and if those variables are set correcty for > the native sysroot paths, then certs get verified: > > # openssl s_client -connect www.google.com:443 < /dev/null | grep > ^Verification > depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 > verify return:1 > depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 > verify return:1 > depth=0 CN = www.google.com > verify return:1 > DONE > Verification: OK > > For example subversion-native doesn't work without the certs and hangs > on the question: > > # OPENSSL_CONF="" OPENSSL_ENGINES="" OPENSSL_MODULES="" > SSL_CERT_DIR="" SSL_CERT_FILE="" svn co https://www.google.com > Error validating server certificate for 'https://www.google.com:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to validate the certificate manually! > Certificate information: > - Hostname: www.google.com > - Valid: from Aug 29 08:20:19 2022 GMT until Nov 21 08:20:18 2022 GMT > - Issuer: GTS CA 1C3, Google Trust Services LLC, US > - Fingerprint: BB:17:2A:6B:F5:43:2C:2B:53:D6:EC:11:21:D3:54:EF:9A:95:19:33 > (R)eject, accept (t)emporarily or accept (p)ermanently? > > If the openssl variables are set it works: > > # set|grep SSL > OPENSSL_CONF=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ssl-3/openssl.cnf > OPENSSL_ENGINES=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/engines-3 > OPENSSL_MODULES=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ossl-modules > SSL_CERT_DIR=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ssl-3/certs > SSL_CERT_FILE=/home/builder/poky/build_master/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/ssl-3/cert.pem > # svn co https://www.google.com > svn: E170013: Unable to connect to a repository at URL > 'https://www.google.com' > svn: E175015: The HTTP method 'OPTIONS' is not allowed on '/' > > Wrappers here and there doesn't seem like a good idea.. > > Cheers, > > -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170645): https://lists.openembedded.org/g/openembedded-core/message/170645 Mute This Topic: https://lists.openembedded.org/mt/93651845/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
