From unknown Tue Sep 09 21:32:42 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37371: =?UTF-8?Q?CMake=E2=80=99s_?= =?UTF-8?Q?=E2=80=9Cctest=E2=80=9D_?= =?UTF-8?Q?doesn=E2=80=99t?= know about X.509 certificates Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 10 Sep 2019 15:38:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 37371 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: bug-Guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15681298772774 (code B ref -1); Tue, 10 Sep 2019 15:38:03 +0000 Received: (at submit) by debbugs.gnu.org; 10 Sep 2019 15:37:57 +0000 Received: from localhost ([127.0.0.1]:41591 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7iDM-0000if-Jr for submit@debbugs.gnu.org; Tue, 10 Sep 2019 11:37:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:50885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7iDJ-0000iW-GZ for submit@debbugs.gnu.org; Tue, 10 Sep 2019 11:37:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35632) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i7iDI-00017o-Aq for bug-Guix@gnu.org; Tue, 10 Sep 2019 11:37:53 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_HI autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i7iDF-00035M-VC for bug-Guix@gnu.org; Tue, 10 Sep 2019 11:37:51 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:45099) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1i7iDE-00032j-3a for bug-Guix@gnu.org; Tue, 10 Sep 2019 11:37:49 -0400 X-IronPort-AV: E=Sophos;i="5.64,489,1559512800"; d="scan'208";a="401113700" Received: from unknown (HELO ribbon) ([193.50.110.86]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 10 Sep 2019 17:37:43 +0200 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 24 Fructidor an 227 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 10 Sep 2019 17:37:43 +0200 Message-ID: <87tv9k17so.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 192.134.164.83 X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hello, The =E2=80=98ctest=E2=80=99 command uses libcurl to submit reports to CDash= servers. However, it does not =E2=80=9Cgetenv=E2=80=9D anything related to CA certs,= and it does not either look at /etc/ssl/certs. The culprit is this function: --8<---------------cut here---------------start------------->8--- std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile) { std::string e; if (cafile && *cafile) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile); check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: "); } #ifdef CMAKE_FIND_CAFILE # define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt" else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA); check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: "); } # undef CMAKE_CAFILE_FEDORA else { # define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt" if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON); check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: "); } # undef CMAKE_CAFILE_COMMON # define CMAKE_CAPATH_COMMON "/etc/ssl/certs" if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON); check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: "); } # undef CMAKE_CAPATH_COMMON } #endif return e; } --8<---------------cut here---------------end--------------->8--- The problem is that =E2=80=98CMAKE_FIND_CAFILE=E2=80=99 is undefined in our= case: --8<---------------cut here---------------start------------->8--- #if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) && = \ !defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH) # define CMAKE_FIND_CAFILE # include "cmSystemTools.h" #endif --8<---------------cut here---------------end--------------->8--- Thus it doesn=E2=80=99t look for certificates *at all*, and eventually fails with: --8<---------------cut here---------------start------------->8--- Error when uploading file: =E2=80=A6 Error message was: server certificate verification failed. CAfile: none = CRLfile: none Problems when submitting via HTTP Errors while running CTest --8<---------------cut here---------------end--------------->8--- For now I propose to provide a patched =E2=80=98cmake=E2=80=99 package that= does the right thing. On #guix, Tobias also rightfully suggested adding a =E2=80=98getenv=E2=80= =99 call directly in libcurl, which may be the better long-term solution (though it=E2=80=99s unclear whether that could interfere with application logic.) Ludo=E2=80=99. From unknown Tue Sep 09 21:32:42 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37371: =?UTF-8?Q?CMake=E2=80=99s_?= =?UTF-8?Q?=E2=80=9Cctest=E2=80=9D_?= =?UTF-8?Q?doesn=E2=80=99t?= know about X.509 certificates Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 10 Sep 2019 16:36:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37371 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 37371@debbugs.gnu.org Received: via spool by 37371-submit@debbugs.gnu.org id=B37371.15681333139746 (code B ref 37371); Tue, 10 Sep 2019 16:36:01 +0000 Received: (at 37371) by debbugs.gnu.org; 10 Sep 2019 16:35:13 +0000 Received: from localhost ([127.0.0.1]:41656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7j6n-0002X6-AT for submit@debbugs.gnu.org; Tue, 10 Sep 2019 12:35:13 -0400 Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21305) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7j6k-0002Wu-UQ for 37371@debbugs.gnu.org; Tue, 10 Sep 2019 12:35:12 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1568133308; cv=none; d=zoho.com; s=zohoarc; b=RfRvw8uJEzKcFFBgIdf6U0nnktKdpw+9zbBn/kAdkZuwB/jfXUumz0DDvzoTj3Iz3LDfzc25uQBYiM3tj8h4ja8uba9GIJW5PpEgiag8kBobiwE15W4up/00vFz42P91891WEVWzs3RKJM7IwvXk6zeGukq04jNNnsFDEf0yGN4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1568133308; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=yhVhNfxEVMPeHUzyFOT0JT1ADYoanLmJBZiL60urvXs=; b=NMULfYJUg+u0dppKhpBDXr7LMU+6r/JU3qXkZeJZd3uq/5soIkawWYYKds8nA5NDwPbZ2KiHIPmPoxmu5pay1wujJZDJhSYjUPZlw6DZvxaLylkxbzcsRxMo62BioEu8hE7iOHuylj3CYmr7KoDihhJG65h4LQ1Ssie8xP/VzYg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1568133308; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; l=1088; bh=yhVhNfxEVMPeHUzyFOT0JT1ADYoanLmJBZiL60urvXs=; b=RgMGYkUODL9H9tCoV4dk9Vu4E9F9CqkwdQVAD6Xl+QUaJK0ulueyNX9Kynx8VqtU O4oXtsjEEFrJNoOdvJrmrJccqMjrDu5GsBXeWZOLb/dprfczvSCpaaO50XMvx3qEFBd LbIkk+KmPdUSUB0K+1haRj/ebZjXZi8SjUSyEDBg= Received: from localhost (p54AD4ECE.dip0.t-ipconnect.de [84.173.78.206]) by mx.zohomail.com with SMTPS id 1568133308228598.5000239037118; Tue, 10 Sep 2019 09:35:08 -0700 (PDT) References: <87tv9k17so.fsf@inria.fr> User-agent: mu4e 1.2.0; emacs 26.2 From: Ricardo Wurmus In-reply-to: <87tv9k17so.fsf@inria.fr> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Tue, 10 Sep 2019 18:35:03 +0200 Message-ID: <877e6gqfd4.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: > The =E2=80=98ctest=E2=80=99 command uses libcurl to submit reports to CDa= sh servers. > However, it does not =E2=80=9Cgetenv=E2=80=9D anything related to CA cert= s, and it does > not either look at /etc/ssl/certs. [=E2=80=A6] > > For now I propose to provide a patched =E2=80=98cmake=E2=80=99 package th= at does the > right thing. This is the correct way, in my opinion. The user of libcurl is supposed to handle environment variable lookup. > On #guix, Tobias also rightfully suggested adding a =E2=80=98getenv=E2=80= =99 call > directly in libcurl, which may be the better long-term solution (though > it=E2=80=99s unclear whether that could interfere with application logic.) This idea has been around for a pretty long time. I don=E2=80=99t really l= ike it, but it would solve so many problems where users of libcurl don=E2=80=99= t do env var lookups and fall back to the default, which is not guaranteed to exist when using Guix on foreign distros or even on Guix System. -- Ricardo From unknown Tue Sep 09 21:32:42 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37371: =?UTF-8?Q?CMake=E2=80=99s_?= =?UTF-8?Q?=E2=80=9Cctest=E2=80=9D_?= =?UTF-8?Q?doesn=E2=80=99t?= know about X.509 certificates Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 10 Sep 2019 17:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37371 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ricardo Wurmus Cc: 37371@debbugs.gnu.org Received: via spool by 37371-submit@debbugs.gnu.org id=B37371.156813512413423 (code B ref 37371); Tue, 10 Sep 2019 17:06:01 +0000 Received: (at 37371) by debbugs.gnu.org; 10 Sep 2019 17:05:24 +0000 Received: from localhost ([127.0.0.1]:41667 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7ja0-0003UQ-3Y for submit@debbugs.gnu.org; Tue, 10 Sep 2019 13:05:24 -0400 Received: from tobias.gr ([80.241.217.52]:35096) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7jZy-0003UG-6D for 37371@debbugs.gnu.org; Tue, 10 Sep 2019 13:05:22 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 56107b1e; Tue, 10 Sep 2019 17:05:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=gT65ePiI11+w5GSoc4UaIL puoqH4ko4qVm59wHpFlLA=; b=VSRd8OeiZWO+OnRRPNHWJnID2SfGzEGbdmBm9c nn62LdffGg7T8KDiHPdveoVDRd+c+Rf2J8kLa2DlLSOghZYFjGlDiTrny1jwHKdD pRyRLW7dRuf0bi9vav6HGrotL/QPQAxzqp43jLhPDML4frfekO0+bsQpOHSQGDua 4nuMJSXsgH1EbNFqfTWO2tcLC5E4+Pu6jwZokuYnVbSE3JSdZLBwqQRHn0P8tKmt nATza9bxYa9jbE4EIIoPxplN4CMaSCMzi1o1MZmOAQwl9hr+dczMRXXN1C5vqbkW XN3VwjwALee1Iz/9Ew1xYZq/2qZB/IseaODWlNlq8RTqwjug== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 2d162804 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 10 Sep 2019 17:05:19 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87tv9k17so.fsf@inria.fr> <877e6gqfd4.fsf@elephly.net> In-reply-to: <877e6gqfd4.fsf@elephly.net> Date: Tue, 10 Sep 2019 19:05:18 +0200 Message-ID: <87v9u0cca9.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ricardo, Ricardo Wurmus =E5=86=99=E9=81=93=EF=BC=9A > This is the correct way, in my opinion. The user of libcurl is=20 > supposed > to handle environment variable lookup. I'm aware of this, but it seems like some users don't do this. >> On #guix, Tobias also rightfully suggested adding a =E2=80=98getenv=E2= =80=99=20 >> call >> directly in libcurl, which may be the better long-term solution=20 >> (though >> it=E2=80=99s unclear whether that could interfere with application=20 >> logic.) > > This idea has been around for a pretty long time. I don=E2=80=99t=20 > really like > it, but it would solve so many problems where users of libcurl=20 > don=E2=80=99t do > env var lookups and fall back to the default, which is not=20 > guaranteed to > exist when using Guix on foreign distros or even on Guix System. Yeah, I explicitly said it was evil ;-) I don't =E2=80=98like=E2=80=99 it either, but don't know enough about libcu= rl to=20 think of a better solution. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXXfXzgAKCRANsP+IT1Vt eegSAQDfSbev5GENWnSNMNV2h2IMPs8QvROx4yuJfcpA7tR4agEA9snV+VtXxvwq IHjm2FGjoQkJTBn8YMRTFWwxbFi+rQA= =lJGc -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Sep 09 21:32:42 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#37371: closed (Re: bug#37371: =?UTF-8?Q?CMake=E2=80=99s_?= =?UTF-8?Q?=E2=80=9Cctest=E2=80=9D_?= =?UTF-8?Q?doesn=E2=80=99t?= know about X.509 certificates) Message-ID: References: <87pnk7yf3v.fsf@gnu.org> <87tv9k17so.fsf@inria.fr> X-Gnu-PR-Message: they-closed 37371 X-Gnu-PR-Package: guix Reply-To: 37371@debbugs.gnu.org Date: Tue, 10 Sep 2019 22:14:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1568153642-24321-1" This is a multi-part message in MIME format... ------------=_1568153642-24321-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #37371: CMake=E2=80=99s =E2=80=9Cctest=E2=80=9D doesn=E2=80=99t know about = X.509 certificates which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 37371@debbugs.gnu.org. --=20 37371: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37371 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1568153642-24321-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 37371-done) by debbugs.gnu.org; 10 Sep 2019 22:13:35 +0000 Received: from localhost ([127.0.0.1]:41796 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7oOE-0006JR-LT for submit@debbugs.gnu.org; Tue, 10 Sep 2019 18:13:34 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48584) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7oOB-0006JD-W9 for 37371-done@debbugs.gnu.org; Tue, 10 Sep 2019 18:13:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35149) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1i7oO6-0006qh-Ew; Tue, 10 Sep 2019 18:13:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=54878 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1i7oO6-00035m-2g; Tue, 10 Sep 2019 18:13:26 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Tobias Geerinckx-Rice Subject: Re: bug#37371: =?utf-8?B?Q01ha2XigJlzIOKAnGN0ZXN04oCdIGRvZXNu4oCZ?= =?utf-8?B?dA==?= know about X.509 certificates References: <87tv9k17so.fsf@inria.fr> <877e6gqfd4.fsf@elephly.net> <87v9u0cca9.fsf@nckx> Date: Wed, 11 Sep 2019 00:13:24 +0200 In-Reply-To: <87v9u0cca9.fsf@nckx> (Tobias Geerinckx-Rice's message of "Tue, 10 Sep 2019 19:05:18 +0200") Message-ID: <87pnk7yf3v.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37371-done Cc: Ricardo Wurmus , 37371-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Tobias Geerinckx-Rice skribis: > Ricardo Wurmus =E5=86=99=E9=81=93=EF=BC=9A >> This is the correct way, in my opinion. The user of libcurl is >> supposed >> to handle environment variable lookup. > > I'm aware of this, but it seems like some users don't do this. I=E2=80=99ve pushed this as 489d16577e4a6ccc30f3719d9263900089edd842. We can revisit the libcurl issue later on (as we regularly do :-)). Thanks for your feedback, Ludo=E2=80=99. ------------=_1568153642-24321-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 10 Sep 2019 15:37:57 +0000 Received: from localhost ([127.0.0.1]:41591 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7iDM-0000if-Jr for submit@debbugs.gnu.org; Tue, 10 Sep 2019 11:37:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:50885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i7iDJ-0000iW-GZ for submit@debbugs.gnu.org; Tue, 10 Sep 2019 11:37:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35632) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i7iDI-00017o-Aq for bug-Guix@gnu.org; Tue, 10 Sep 2019 11:37:53 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_HI autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i7iDF-00035M-VC for bug-Guix@gnu.org; Tue, 10 Sep 2019 11:37:51 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:45099) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1i7iDE-00032j-3a for bug-Guix@gnu.org; Tue, 10 Sep 2019 11:37:49 -0400 X-IronPort-AV: E=Sophos;i="5.64,489,1559512800"; d="scan'208";a="401113700" Received: from unknown (HELO ribbon) ([193.50.110.86]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 10 Sep 2019 17:37:43 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-Guix@gnu.org Subject: =?utf-8?B?Q01ha2XigJlzIOKAnGN0ZXN04oCdIGRvZXNu4oCZdA==?= know about X.509 certificates X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 24 Fructidor an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 10 Sep 2019 17:37:43 +0200 Message-ID: <87tv9k17so.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 192.134.164.83 X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hello, The =E2=80=98ctest=E2=80=99 command uses libcurl to submit reports to CDash= servers. However, it does not =E2=80=9Cgetenv=E2=80=9D anything related to CA certs,= and it does not either look at /etc/ssl/certs. The culprit is this function: --8<---------------cut here---------------start------------->8--- std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile) { std::string e; if (cafile && *cafile) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile); check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: "); } #ifdef CMAKE_FIND_CAFILE # define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt" else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA); check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: "); } # undef CMAKE_CAFILE_FEDORA else { # define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt" if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON); check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: "); } # undef CMAKE_CAFILE_COMMON # define CMAKE_CAPATH_COMMON "/etc/ssl/certs" if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) { ::CURLcode res =3D ::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON); check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: "); } # undef CMAKE_CAPATH_COMMON } #endif return e; } --8<---------------cut here---------------end--------------->8--- The problem is that =E2=80=98CMAKE_FIND_CAFILE=E2=80=99 is undefined in our= case: --8<---------------cut here---------------start------------->8--- #if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) && = \ !defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH) # define CMAKE_FIND_CAFILE # include "cmSystemTools.h" #endif --8<---------------cut here---------------end--------------->8--- Thus it doesn=E2=80=99t look for certificates *at all*, and eventually fails with: --8<---------------cut here---------------start------------->8--- Error when uploading file: =E2=80=A6 Error message was: server certificate verification failed. CAfile: none = CRLfile: none Problems when submitting via HTTP Errors while running CTest --8<---------------cut here---------------end--------------->8--- For now I propose to provide a patched =E2=80=98cmake=E2=80=99 package that= does the right thing. On #guix, Tobias also rightfully suggested adding a =E2=80=98getenv=E2=80= =99 call directly in libcurl, which may be the better long-term solution (though it=E2=80=99s unclear whether that could interfere with application logic.) Ludo=E2=80=99. ------------=_1568153642-24321-1--