GNU bug report logs -
#37371
CMake’s “ctest” doesn’t know about X.509 certificates
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#37371: CMake’s “ctest” doesn’t know about X.509 certificates
which was filed against the guix package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 37371 <at> debbugs.gnu.org.
--
37371: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37371
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Hello,
Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
> Ricardo Wurmus 写道:
>> This is the correct way, in my opinion. The user of libcurl is
>> supposed
>> to handle environment variable lookup.
>
> I'm aware of this, but it seems like some users don't do this.
I’ve pushed this as 489d16577e4a6ccc30f3719d9263900089edd842.
We can revisit the libcurl issue later on (as we regularly do :-)).
Thanks for your feedback,
Ludo’.
[Message part 3 (message/rfc822, inline)]
Hello,
The ‘ctest’ command uses libcurl to submit reports to CDash servers.
However, it does not “getenv” anything related to CA certs, and it does
not either look at /etc/ssl/certs.
The culprit is this function:
--8<---------------cut here---------------start------------->8---
std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile)
{
std::string e;
if (cafile && *cafile) {
::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
#ifdef CMAKE_FIND_CAFILE
# define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_FEDORA
else {
# define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
}
# undef CMAKE_CAFILE_COMMON
# define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) {
::CURLcode res =
::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
}
# undef CMAKE_CAPATH_COMMON
}
#endif
return e;
}
--8<---------------cut here---------------end--------------->8---
The problem is that ‘CMAKE_FIND_CAFILE’ is undefined in our case:
--8<---------------cut here---------------start------------->8---
#if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) && \
!defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
# define CMAKE_FIND_CAFILE
# include "cmSystemTools.h"
#endif
--8<---------------cut here---------------end--------------->8---
Thus it doesn’t look for certificates *at all*, and eventually fails
with:
--8<---------------cut here---------------start------------->8---
Error when uploading file: …
Error message was: server certificate verification failed. CAfile: none CRLfile: none
Problems when submitting via HTTP
Errors while running CTest
--8<---------------cut here---------------end--------------->8---
For now I propose to provide a patched ‘cmake’ package that does the
right thing.
On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
directly in libcurl, which may be the better long-term solution (though
it’s unclear whether that could interfere with application logic.)
Ludo’.
This bug report was last modified 5 years and 254 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.