On Wed, 2016-10-26 at 06:20 +0000, Blaettler, Michael wrote: > Hi Patrick > > I just checked the source code of curl. > > In acinclude.m4 on line 2560, you'll find: > dnl CURL_CHECK_CA_BUNDLE > dnl ------------------------------------------------- > dnl Check if a default ca-bundle should be used > dnl > dnl regarding the paths this will scan: > dnl /etc/ssl/certs/ca-certificates.crt Debian systems > dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva > dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat > dnl /usr/local/share/certs/ca-root-nss.crt FreeBSD > dnl /etc/ssl/cert.pem OpenBSD, FreeBSD (symlink) > dnl /etc/ssl/certs/ (ca path) SUSE > > Later in the function there's a for loop, searching every path for the > certificate-chain (if --with-ca-bundle is not set). > for a in /etc/ssl/certs/ca-certificates.crt \ > /etc/pki/tls/certs/ca-bundle.crt \ > /usr/share/ssl/certs/ca-bundle.crt \ > /usr/local/share/certs/ca-root-nss.crt \ > /etc/ssl/cert.pem \ > "$cac"; do > if test -f "$a"; then > ca="$a" > break > fi > done > > Regarding this configuration script, removing --with-ca-bundle in curl-native > should not cause any problems.
Quite the opposite, it leads exactly to the problem that I feared. Suppose you build on distro foo where the configure script finds and thus hardcodes in the binary ca=/etc/ssl/certs/ca-certificates.crt. Then you build on distro bar which has /etc/pki/tls/certs/ca-bundle.crt instead. When using uninative, it is likely that compiling curl-native anew will be skipped and instead curl-native gets installed from the sstate that was prepared on distro foo. The result is a curl-native that doesn't have SSL certificates and thus https will not work. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
