[Bug 248047] ftp/curl: curl is unusable when CA_BUNDLE is off
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jul 17 15:47:13 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248047
Bug ID: 248047
Summary: ftp/curl: curl is unusable when CA_BUNDLE is off
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: sunpoet at FreeBSD.org
Reporter: michael.osipov at siemens.com
Assignee: sunpoet at FreeBSD.org
Flags: maintainer-feedback?(sunpoet at FreeBSD.org)
Configured curl:
---Begin OPTIONS List---
===> The following configuration options are available for curl-7.71.0:
ALTSVC=off: HTTP Alternative Services support
BROTLI=off: Brotli compression support
CA_BUNDLE=off: Enable CA bundle for OpenSSL/GnuTLS/mbedTLS
COOKIES=on: Cookies support
CURL_DEBUG=off: cURL debug memory tracking
DEBUG=off: Build with debugging support
DOCS=on: Build and/or install documentation
EXAMPLES=off: Build and/or install examples
IDN=off: International Domain Names support
IPV6=on: IPv6 protocol support
METALINK=off: Metalink support
NTLM=off: NTLM authentication support
PROXY=on: Proxy support
PSL=off: Public Suffix List support
TLS_SRP=off: TLS-SRP (Secure Remote Password) support
====> Options available for the group PROTOCOL
DICT=off: DICT (RFC 2229) support
FTP=off: FTP protocol support
GOPHER=off: Gopher protocol support
HTTP=on: HTTP/HTTPS support
HTTP2=on: HTTP/2 support (requires HTTP)
IMAP=off: IMAP/IMAPS support
LDAP=off: LDAP protocol support
LDAPS=off: LDAP protocol over SSL support
LIBSSH2=off: SCP/SFTP support via libssh2 (requires OPENSSL)
POP3=off: POP3/POP3S support
RTMP=off: RTMP protocol support via librtmp
RTSP=off: Real Time Streaming Protocol (RTSP) support
SMB=off: SMB/CIFS support
SMTP=off: SMTP/SMTPS support
TELNET=off: Telnet support
TFTP=off: TFTP support
====> GSSAPI Security API support: you have to select exactly one of them
GSSAPI_BASE=off: GSSAPI support via base system (needs Kerberos)
GSSAPI_HEIMDAL=off: GSSAPI support via security/heimdal
GSSAPI_MIT=on: GSSAPI support via security/krb5
GSSAPI_NONE=off: Disable GSSAPI support
====> DNS resolving options: you have to select exactly one of them
CARES=off: Asynchronous DNS resolution via c-ares
THREADED_RESOLVER=on: Threaded DNS resolver
====> SSL protocol support: you can only select none or one of them
GNUTLS=off: SSL/TLS support via GnuTLS
NSS=off: SSL/TLS support via NSS
OPENSSL=on: SSL/TLS support via OpenSSL
WOLFSSL=off: SSL/TLS support via wolfSSL
===> Use 'make config' to modify these settings
---End OPTIONS List---
Because I solely on the system cert store (ssl=base):
# openssl version -d
OPENSSLDIR: "/etc/ssl"
Either OPENSSLDIR/cert.pem or OPENSSLDIR/certs/. This is is only enabled in
curl when --with-ca-fallback is enabled. This options is only valid for:
> AC_MSG_CHECKING([whether to use builtin CA store of SSL library])
> AC_ARG_WITH(ca-fallback,
> AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library])
> AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]),
> [
> if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then
> AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter])
> fi
> ],
> [ with_ca_fallback="no"])
> AC_MSG_RESULT([$with_ca_fallback])
> if test "x$with_ca_fallback" = "xyes"; then
> if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then
> AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS])
> fi
> AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ])
> fi
OpenSSL and GnuTLS.
I would expect:
> if CA_BUNDLE=off and SSL_BACKEND in (openssl, gnutls)
CONFIGURE_ARGS+=--with-ca-fallback
endif
Subversion's libserf does set the system cert store if no one is set.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list