LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

gnurl: fall-back on default system trust store 

If no explicit CA file is given, gnurl fails to setup HTTPS connections
as it doesn't looks for certificates in /etc/ssl/certs/ in any way.
Fix that by utilizing GnuTLS' gnutls_certificate_set_x509_system_trust
as a fall-back if neither CA file, CA path nor SRP is declared.

Reported upstream: https://github.com/bagder/curl/issues/330
Fix suggested upstream: https://github.com/bagder/curl/pull/331

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
lilik-openwrt-22.03
Daniel Golle 10 years ago
parent
1208a25e71
commit
9ea72dda91
2 changed files with 42 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/gnurl/Makefile
  2. +41
    -0
      net/gnurl/patches/300-fix-gnutls-system-trust.patch

+ 1
- 1
net/gnurl/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=gnurl
PKG_VERSION:=7.40.0
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://gnunet.org/sites/default/files


+ 41
- 0
net/gnurl/patches/300-fix-gnutls-system-trust.patch View File

@ -0,0 +1,41 @@
From 2c30fa7eb71b24f05b55ff03d6c81fc8572a6f4d Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 29 Jun 2015 18:36:01 +0200
Subject: [PATCH] gnutls: use default system trust storage if no other CA is
set
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
lib/vtls/gtls.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -420,6 +420,27 @@ gtls_connect_step1(struct connectdata *c
return CURLE_SSL_CONNECT_ERROR;
}
+ if(
+#ifdef USE_TLS_SRP
+ data->set.ssl.authtype != CURL_TLSAUTH_SRP &&
+#endif
+#ifdef HAS_CAPATH
+ !data->set.ssl.CApath &&
+#endif
+ !data->set.ssl.CAfile) {
+ /* add default system trust on supported systems */
+ rc = gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
+
+ if(rc < 0) {
+ infof(data, "error importing system trust storage (%s)\n",
+ gnutls_strerror(rc));
+ if(data->set.ssl.verifypeer)
+ return CURLE_SSL_CACERT;
+ }
+ else
+ infof(data, "found %d certificates in system trust storage\n", rc);
+ }
+
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);

Write Preview
Loading…
Cancel
Save