[Bug 334690] New: libcurl comes with too few certs
https://bugzilla.novell.com/show_bug.cgi?id=334690 Summary: libcurl comes with too few certs Product: openSUSE 10.3 Version: Final Platform: All OS/Version: openSUSE 10.3 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: tom.horsley@att.net QAContact: qa@suse.de Found By: --- The /usr/share/curl/curl-ca-bundle.crt file that ships with openSUSE (rpm curl-ca-bundle-7.16.4-16) has a vastly limited subset of certs compared to firefox (for example). Since zypper uses libcurl for https access, this means that repos accessible only via https are likely not accessible without resorting to fiddling with the certs file. For example, the equivalent file on a fedora 7 box is found at /etc/pki/tls/certs/ca-bundle.crt and is 441017 bytes. The /usr/share/curl/curl-ca-bundle.crt file is only 238102 bytes. Copying the fedora 7 certs to my opensuse box did indeed allow me to access an https repo, but that is way too obscure for most folks to figure out. It seems reasonable to expect all the tools that talk https to have access to the same set of certs when they all come on the same linux distribution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690#c1 Michal Marek <mmarek@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mmarek@novell.com Severity|Normal |Enhancement Component|Other |Other Product|openSUSE 10.3 |openSUSE 11.0 Version|Final |unspecified --- Comment #1 from Michal Marek <mmarek@novell.com> 2007-10-18 08:20:15 MST --- Known issue. /usr/share/curl/curl-ca-bundle.crt is the upstream-packaged bundle file. An alternative would be to use the certificates that come with the openssl package (/etc/ssl/certs). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 Michal Marek <mmarek@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 Michal Marek <mmarek@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |mmarek@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User mmarek@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c2 Michal Marek <mmarek@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #2 from Michal Marek <mmarek@novell.com> 2008-02-08 03:09:05 MST --- libcurl will default to /etc/ssl/certs in 11.0. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User tom.horsley@att.net added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c3 Thomas Horsley <tom.horsley@att.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #3 from Thomas Horsley <tom.horsley@att.net> 2008-06-30 09:20:50 MDT --- Well, I straced zypper attempting to get to my https repo, and it does try to read some directory in /etc/ssl/certs, but it still claims it can't get to the web site. Since I *can* get to the web site in firefox, something is still busted in openSUSE 11 with curl. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User mmarek@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c4 Michal Marek <mmarek@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |tom.horsley@att.net --- Comment #4 from Michal Marek <mmarek@novell.com> 2008-06-30 09:26:53 MDT --- What certificate does your (In reply to comment #3 from Thomas Horsley)
Well, I straced zypper attempting to get to my https repo, and it does try to read some directory in /etc/ssl/certs, but it still claims it can't get to the web site.
What certificate does the repo use? Try curl -v https://<url> >/dev/null -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User tom.horsley@att.net added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c5 Thomas Horsley <tom.horsley@att.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|tom.horsley@att.net | --- Comment #5 from Thomas Horsley <tom.horsley@att.net> 2008-06-30 10:07:32 MDT --- Here's the curl -v osu11d0-i:~ # curl -v https://redhawk.ccur.com > /dev/null * About to connect() to redhawk.ccur.com port 443 (#0) * Trying 129.134.60.39... connected * Connected to redhawk.ccur.com (129.134.60.39) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Server hello (2): { [data not shown] * SSLv3, TLS handshake, CERT (11): { [data not shown] * SSLv3, TLS alert, Server hello (2): } [data not shown] * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile d * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile d More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Here's the strace of the attemp to open a cert dir in zypper: osu11d0-i:~ # fgrep cert zypp.trace stat64("/etc/ssl/certs//3c58f906.0", 0xbf8fea8c) = -1 ENOENT (No such file or directory) stat64("/etc/ssl/certs//3c58f906.0", 0xbf8fe4ac) = -1 ENOENT (No such file or directory) And here's the cert exported when I was looking at the same site in firefox: -----BEGIN CERTIFICATE----- MIIFczCCBFugAwIBAgIRAOis1pjbQ+yAGUvIts2zLeAwDQYJKoZIhvcNAQEFBQAw gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0 LUhhcmR3YXJlMB4XDTA4MDIyMDAwMDAwMFoXDTEwMDMwNjIzNTk1OVowge8xCzAJ BgNVBAYTAlVTMQ4wDAYDVQQREwUzMzA2OTEQMA4GA1UECBMHRmxvcmlkYTEWMBQG A1UEBxMNUG9tcGFubyBCZWFjaDEaMBgGA1UECRMRUG9tcGFubyBCZWFjaCwgRkwx GzAZBgNVBAkTEjI4ODEgR2F0ZXdheSBEcml2ZTEoMCYGA1UEChMfQ29uY3VycmVu dCBDb21wdXRlciBDb3Jwb3JhdGlvbjEMMAoGA1UECxMDTUlTMRowGAYDVQQLExFD b21vZG8gSW5zdGFudFNTTDEZMBcGA1UEAxMQcmVkaGF3ay5jY3VyLmNvbTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzoozh+GQ7WkUWw+MWAzfOrD5ZfglM3zp A/oul8anxFUuntaAEQLtZsvrPAJQW/P1OUwGUG2V6j66UuQLS0lCKdutblVASAmF qHO71NtLvBgZeQyH9A41/PJL/4z+1sRZr1wJLtRcK6AHzNx83qe+U6XWfAhWxVx/ c7yDgqKjWtUCAwEAAaOCAeIwggHeMB8GA1UdIwQYMBaAFKFyXyYbKJhDlV0HN9WF lp1L0sNFMB0GA1UdDgQWBBQ36vPr6Y15JS4GoNxvl8jO/LNNHTAOBgNVHQ8BAf8E BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwEQYJYIZIAYb4QgEBBAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQME MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMHsG A1UdHwR0MHIwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL1VUTi1VU0VS Rmlyc3QtSGFyZHdhcmUuY3JsMDagNKAyhjBodHRwOi8vY3JsLmNvbW9kby5uZXQv VVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwgYYGCCsGAQUFBwEBBHoweDA7Bggr BgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vVVROQWRkVHJ1c3RTZXJ2 ZXJDQS5jcnQwOQYIKwYBBQUHMAKGLWh0dHA6Ly9jcnQuY29tb2RvLm5ldC9VVE5B ZGRUcnVzdFNlcnZlckNBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAEgxVrDfJjTFU fOB8eh8bmbqTF3ngKxyzQvSrcj7yyIw8GepZnkZRb8LVFvIK6BfMgT095F78v7Xd dA06mTO8L37FhXjSnxiU340VkHFdytLXALuVl7siznB5sS+ghnDnR3rLI+ZZhTQK 4UaHfiu0iUkdmXSGuoVeXMPYuG+o8g78uefAG3YMAoHU8qUrfwInDh2Xr2WIqnvu RZbJ00aUaHf4tZE9KNtAD/OMP0EfHkhYSpfEfpqunJp+/v2IS8WP3mUWQ3JBionO KT8/LJT2TFnI3BnLC8sqt7qYKmwOeSujrjgT7ETI8qWL/hwYQNljpJWPEiQwP6lg K6mKm9z3bg== -----END CERTIFICATE----- That's all I can think of to add :-). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User mmarek@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c6 Michal Marek <mmarek@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mmarek@novell.com |mkoenig@novell.com Status|REOPENED |NEW --- Comment #6 from Michal Marek <mmarek@novell.com> 2008-07-01 00:48:14 MDT --- Yeah, the joy of having a handful of root cert collections... The openssl-certs package doesn't have the AddTrust root certificate, while firefox and kdelibs have it => Mathias. BTW, You can add it yourself by exporting the "AddTrust External CA Root" certificate as /etc/ssl/certs/addtrust.pem and running c_rehash. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User mkoenig@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c7 Matthias Koenig <mkoenig@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mkoenig@novell.com AssignedTo|mkoenig@novell.com |security-team@suse.de --- Comment #7 from Matthias Koenig <mkoenig@novell.com> 2008-07-01 03:41:21 MDT --- Hand over to security-team. I cannot take the responsibility for the decision of which CA certificates to ship. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User tom.horsley@att.net added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c8 --- Comment #8 from Thomas Horsley <tom.horsley@att.net> 2008-07-01 06:04:47 MDT --- Yep. Saving addtrust.pem from firefox and running c_rehash does indeed allow zypper to communicate with my https repo. Thanks for the info, it would have taken me ages to discover c_rehash without the pointer. It would sure be nice if all the SSL libs in all the tools that talked SSL could consistently talk to the same set of secure sites, like maybe by having them all point to the same one and only one set of certs? :-). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c9 --- Comment #9 from Ludwig Nussel <lnussel@novell.com> 2008-07-01 06:22:27 MDT --- If it was easy to solve the problem of different applications using different certificate stores (and worse, different crypto libraries!) we would already have solved it :-) The long term goal is to unify that stuff of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User tom.horsley@att.net added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c10 --- Comment #10 from Thomas Horsley <tom.horsley@att.net> 2008-07-01 10:56:38 MDT --- I've never found sites I couldn't get to with both firefox and curl when using fedora systems (Needle, needle :-). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=334690 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=334690#c11 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #11 from Ludwig Nussel <lnussel@novell.com> 2009-03-19 03:35:29 MST --- meanwhile curl uses /etc/ssl/certs/ which contains the firefox certificates -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com