GNU bug report logs - #37371
CMake’s “ctest” doesn’t know about X.509 certificates

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Tue, 10 Sep 2019 15:38:03 UTC

Severity: normal

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: bug-Guix <at> gnu.org
Subject: bug#37371: CMake’s “ctest” doesn’t know about X.509 certificates
Date: Tue, 10 Sep 2019 17:37:43 +0200

Hello,

The ‘ctest’ command uses libcurl to submit reports to CDash servers.
However, it does not “getenv” anything related to CA certs, and it does
not either look at /etc/ssl/certs.

The culprit is this function:

--8<---------------cut here---------------start------------->8---
std::string cmCurlSetCAInfo(::CURL* curl, const char* cafile)
{
  std::string e;
  if (cafile && *cafile) {
    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
  }
#ifdef CMAKE_FIND_CAFILE
#  define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
  else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {
    ::CURLcode res =
      ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
  }
#  undef CMAKE_CAFILE_FEDORA
  else {
#  define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
    if (cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true)) {
      ::CURLcode res =
        ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
      check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
    }
#  undef CMAKE_CAFILE_COMMON
#  define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
    if (cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON)) {
      ::CURLcode res =
        ::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
      check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
    }
#  undef CMAKE_CAPATH_COMMON
  }
#endif
  return e;
}
--8<---------------cut here---------------end--------------->8---

The problem is that ‘CMAKE_FIND_CAFILE’ is undefined in our case:

--8<---------------cut here---------------start------------->8---
#if !defined(CMAKE_USE_SYSTEM_CURL) && !defined(_WIN32) &&                    \
  !defined(__APPLE__) && !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
#  define CMAKE_FIND_CAFILE
#  include "cmSystemTools.h"
#endif
--8<---------------cut here---------------end--------------->8---

Thus it doesn’t look for certificates *at all*, and eventually fails
with:

--8<---------------cut here---------------start------------->8---
   Error when uploading file: …
   Error message was: server certificate verification failed. CAfile: none CRLfile: none
   Problems when submitting via HTTP
Errors while running CTest
--8<---------------cut here---------------end--------------->8---

For now I propose to provide a patched ‘cmake’ package that does the
right thing.

On #guix, Tobias also rightfully suggested adding a ‘getenv’ call
directly in libcurl, which may be the better long-term solution (though
it’s unclear whether that could interfere with application logic.)

Ludo’.
This bug report was last modified 5 years and 253 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.