Mailinglist Archive: opensuse-packaging (104 mails)

< Previous Next >
Re: [opensuse-packaging] Packaging Godot
cunix wrote:
Ludwig Nussel:
In case of godot looks like it's using openSSL. Not sure why they are
jumping through hoops to make godot read some built in CA bundle. Game
developers are hardly in the CA business so if I were them I'd stay away
from that as far as possible :-)

Can't speak for upstream but this might be related to godot's use of so
called "templates". These are used to to export a game project into
single binaries that should run out of the box on various platforms.

I can see the motivation for them bundling the CA certs. Especially when
they also bundle the SSL lib there is no easy way anymore to talk to the
system's CA cert store (if there is any at all). That still doesn't mean
it's a good idea :-)

Anyways, as you can see in modules/openssl/stream_peer_openssl.cpp
there even is a commented call to SSL_CTX_load_verify_locations()
"for testing". Pretty close. Replace that with a call to
SSL_CTX_set_default_verify_paths(), reduce the built in bundle to
not contain any certs at all and you are done. godot will then rely on
openssl to read the system wide cert store.

Thank you very much for figuring this out!
You're obviously the expert here.
We should try if this can be a solution.

But I've to admit that i do not know the innards of the Godot source
code and all the openSSL pitfalls.
If users are really better off with a patch from a packaging guy who
isn't really brave and confident enough, beyond scratching the surface
and twisting some existing build options, to fiddle with this security
critical part of the code, I'm not sure.

Well, explaion the issue upstream and ask them to help with the actual
code :-)

Additionally this won't be lasting, as it seems Godot will switch with
version 3.1 to mbedtls.

I am not familiar with mbedtls but usually the problem and solution looks
similar with all such libs, just different function names. In the worst
case you'd have to specify the path to some legacy location yourself
at build time. Allowing to pass a path at build time should be next to
trivial for upstream to implement.


(o_ Ludwig Nussel
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard,
Graham Norton, HRB 21284 (AG N├╝rnberg)
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups