> -----Original Message----- > From: [email protected] [mailto:ptxdist- > [email protected]] On Behalf Of Michael Olbrich > Sent: Thursday, April 09, 2015 10:58 AM > To: [email protected] > Subject: Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl > with optional builtin CA certificate default directory or builtin CA > certificate > default bundle file. > > On Thu, Apr 02, 2015 at 09:18:05PM +0000, Rüdiger, Christoph wrote: > > [PATCH] libcurl: Added an option set to compile libcurl with optional > > builtin CA certificate default directory or builtin CA certificate > > default bundle file. > > > > Signed-off-by: Christoph Ruediger > > <[email protected]> > > --- > > rules/libcurl.in | 27 +++++++++++++++++++++++++++ > > rules/libcurl.make | 21 ++++++++++++++++++--- > > 2 files changed, 45 insertions(+), 3 deletions(-) > > > > diff --git a/rules/libcurl.in b/rules/libcurl.in index > > 0ad7fb4..bdb0ad5 100644 > > --- a/rules/libcurl.in > > +++ b/rules/libcurl.in > > @@ -41,6 +41,33 @@ config LIBCURL_FILE config LIBCURL_SSL > > bool "ssl" > > > > +if LIBCURL_SSL > > + > > +choice > > + prompt "Central CA certificate storage" > > + > > + config LIBCURL_SSL_NOCA > > + bool "No CA storage" > > + > > + config LIBCURL_SSL_CAPATH > > + bool "CA directory" > > + > > + config LIBCURL_SSL_CABUNDLE > > + bool "CA bundle" > > +endchoice > > + > > +config LIBCURL_SSL_CAPATH_PATH > > + string "CA directory path" > > + depends on LIBCURL_SSL_CAPATH > > + default "/etc/ssl/certs" > > + > > +config LIBCURL_SSL_CABUNDLE_PATH > > + string "CA bundle path" > > + depends on LIBCURL_SSL_CABUNDLE > > + default "/etc/ssl/certs/ca-certificates.crt" > > Any reason, why these paths should be configurable?
/etc/ssl/certs seems to be the most common path to store certificates in. However, we maintain RedHat servers here which use different paths by default. That's the reason why I made it configurable. > And we need a package that provides those files, right? In my opinion, such a package is nothing for the general ptxdist. It is highly project depending, at least in our company. We do not deploy a set of default CAs like you have it in the general purpose desktop or server distributions. For us it is very rare to have two projects with the same set of CA certificates. Even if we add a certificates package, this should be more related to the openssl package itself than to the openssl user packages like curl. Curl runs fine even if the default path (CA path or CA bundle) does not exist. It is just not finding proper certificates to validate SSL/TLS connections. This is the same behavior as today, where curl is configured to not look anywhere for matching certificates. Best regards, Christoph -- Christoph Ruediger Developer ThyssenKrupp Elevator Innovation GmbH PDC Neuhausen TKEI Elevator Control Bernhaeuser Straße 45 73765 Neuhausen, Germany Phone +49 7158 12-2615 [email protected] Company domicile: Essen Commercial register: Essen HRB 20 839 Postal address: ThyssenKrupp Allee 1, 45143 Essen, Germany Executive Board: Gerhard Thumm, Katrin Huenger, Philippe Choleau -- ptxdist mailing list [email protected]
