Opened 7 years ago
Closed 7 years ago
#56404 closed defect (fixed)
curl: Inconsistent ca-bundle options among variants
| Reported by: | eabalea | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | ||
| Port: | curl |
Description (last modified by mf2k (Frank Schima))
Package net/curl
The default variant (ssl) benefits from the Macports curl-ca-bundle while wolfssl and gnutls variants don't and rely on the system ca-bundle detected by the curl configure script (/etc/ssl/cert.pem).
The darwinssl variant gets the system ca-bundle enabled, and thus the root CA MUST be present in that file (instead of being verified against the Keychain settings). This default ca-bundle can't be disabled from command line.
On darwinssl variant, add
configure.args-append --without-ca-bundle
to the PortFile.
On wolfssl and gnutls variants, add
configure.args-append --with-ca-bundle=${prefix}/share/curl/curl-ca-bundle.crt
to the PortFile.
Change History (7)
comment:1 Changed 7 years ago by mf2k (Frank Schima)
| Keywords: | curl ca-bundle darwinssl removed |
|---|---|
| Owner: | set to ryandesign |
| Status: | new → assigned |
comment:2 Changed 7 years ago by mf2k (Frank Schima)
| Description: | modified (diff) |
|---|
comment:3 Changed 7 years ago by pmetzger (Perry E. Metzger)
You might want to submit a Pull Request on GitHub for faster handling of this change.
comment:4 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
| Summary: | Inconsistent ca-bundle options among net/curl variants → curl: Inconsistent ca-bundle options among variants |
|---|
I can't provide any information on the consequences of making the suggested changes.
comment:5 Changed 7 years ago by eabalea
Relying on the system ca-bundle (which is /etc/ssl/cert.pem here) is a bad idea. Some of the certificates are 1024bits ones (distrusted by any serious root program), and that's why Macports version of curl comes with its own curl-ca-bundle.crt file extracted from Mozilla. Setting all variants to the same trust anchors is the bare minimum to do.
Since gnutls and wolfssl are already able to read the system ca-bundle file, I guess they're also able to read the Macports curl-ca-bundle one.
For the darwinssl variant, leaving the ca-bundle option set makes curl ignore all Keychain trust settings, which is weird.
I've posted an issue on curl's GitHub repo regarding the load of CURL_CA_BUNDLE file when darwinssl is enabled. If they move and disable the ca-bundle when darwinssl is enabled, there's nothing more to do here.
comment:6 Changed 7 years ago by eabalea
Pull request done: https://github.com/macports/macports-ports/pull/1721
comment:7 Changed 7 years ago by eabalea
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
In the future, please use WikiFormatting and Cc the port maintainer(s) (
port info --maintainers curl), if any.