GNU bug report logs - #28948
feh does encounter certificate errors with valid certificates

Previous Next

Package: guix;

Reported by: ng0 <ng0 <at> infotropique.org>

Date: Sun, 22 Oct 2017 20:35:01 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #20 received at 28948 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 28948 <at> debbugs.gnu.org, ng0 <ng0 <at> infotropique.org>
Subject: Re: bug#28948: feh does encounter certificate errors with valid
 certificates
Date: Mon, 30 Oct 2017 09:02:33 +0100

Marius Bakke <mbakke <at> fastmail.com> writes:

> ng0 <ng0 <at> infotropique.org> writes:
>
>> feh https://i.imgur.com/263enxT.jpg
>> feh opens image
>>
>> Problem:
>> user <at> abyayala ~/src/guix/guix$ feh https://i.imgur.com/263enxT.jpg
>> feh WARNING: open url: server certificate verification failed. CAfile: none CRLfile: none
>> feh WARNING: https://i.imgur.com/263enxT.jpg - File does not exist
>> feh: No loadable images specified.
>> See 'man feh' for detailed usage information
>>
>> nss etc are in my profile, no problem with other curl based applications.
>
> The attached patch should fix the problem.  Can you try it?

We’ve done something similar in r-curl IIRC.  I wonder if we should just
patch libcurl, so that all users of libcurl would benefit from this change.

> +diff --git a/src/imlib.c b/src/imlib.c
> +index dfb79aa..82a9865 100644
> +--- a/src/imlib.c
> ++++ b/src/imlib.c
> +@@ -429,6 +429,10 @@ static char *feh_http_load_image(char *url)
> + 			if (opt.insecure_ssl) {
> + 				curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
> + 				curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
> ++			} else {
> ++				// Allow the user to specify custom CA certificates.
> ++				curl_easy_setopt(curl, CURLOPT_CAINFO,
> ++						getenv("CURL_CA_BUNDLE"));
> + 			}

Is it safe to pass the empty string to curl_easy_setopt, in case
CURL_CA_BUNDLE is unset?  Do we need to check the value first or can we
pass it without checking?

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net
This bug report was last modified 7 years and 200 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.