GNU bug report logs -
#37371
CMake’s “ctest” doesn’t know about X.509 certificates
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Wed, 11 Sep 2019 00:13:24 +0200
with message-id <87pnk7yf3v.fsf <at> gnu.org>
and subject line Re: bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates
has caused the debbugs.gnu.org bug report #37371,
regarding CMake’s “ctest” doesn’t know about X.509 certificates
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
37371: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37371
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Hello,
The ‘ctest’ command uses libcurl to submit reports to CDash servers.
However, it does not “getenv” anything related to CA certs, and it does
not either look at /etc/ssl/certs.
The culprit is this function:
--8<---------------cut here---------------start------------->8---
std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile)
{
std::string e;
if (cafile && *cafile) {
::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
#ifdef CMAKE_FIND_CAFILE
# define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_FEDORA
else {
# define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_COMMON
# define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
}
# undef CMAKE_CAPATH_COMMON
}
#endif
return e;
}
--8<---------------cut here---------------end--------------->8---
The problem is that ‘CMAKE_FIND_CAFILE’ is undefined in our case:
--8<---------------cut here---------------start------------->8---
#if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) && \
!defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
# define CMAKE_FIND_CAFILE
# include "cmSystemTools.h"
#endif
--8<---------------cut here---------------end--------------->8---
Thus it doesn’t look for certificates *at all*, and eventually fails
with:
--8<---------------cut here---------------start------------->8---
Error when uploading file: …
Error message was: server certificate verification failed. CAfile: none CRLfile: none
Problems when submitting via HTTP
Errors while running CTest
--8<---------------cut here---------------end--------------->8---
For now I propose to provide a patched ‘cmake’ package that does the
right thing.
On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
directly in libcurl, which may be the better long-term solution (though
it’s unclear whether that could interfere with application logic.)
Ludo’.
[Message part 3 (message/rfc822, inline)]
Hello,
Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
> Ricardo Wurmus 写道:
>> This is the correct way, in my opinion. The user of libcurl is
>> supposed
>> to handle environment variable lookup.
>
> I'm aware of this, but it seems like some users don't do this.
I’ve pushed this as 489d16577e4a6ccc30f3719d9263900089edd842.
We can revisit the libcurl issue later on (as we regularly do :-)).
Thanks for your feedback,
Ludo’.
This bug report was last modified 5 years and 254 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.