Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(conf): use openssl to detect system ca-certs path #10788

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bungle
Copy link
Member

@bungle bungle commented May 4, 2023

Summary

Previously the code ran through these paths:

  • "/etc/ssl/certs/ca-certificates.crt", -- Debian/Ubuntu/Gentoo
  • "/etc/pki/tls/certs/ca-bundle.crt", -- Fedora/RHEL 6
  • "/etc/ssl/ca-bundle.pem", -- OpenSUSE
  • "/etc/pki/tls/cacert.pem", -- OpenELEC
  • "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", -- CentOS/RHEL 7
  • "/etc/ssl/cert.pem", -- OpenBSD, Alpine

when trying to find system ca-file.

The commit here asks openssl about it and tries from there first.

@bungle bungle requested a review from kikito May 4, 2023 14:41
@bungle bungle force-pushed the feat/system-trusted-certs-path branch from e488917 to f3bb0b2 Compare May 4, 2023 14:45
@pull-request-size pull-request-size bot added size/M and removed size/S labels May 4, 2023
@bungle bungle force-pushed the feat/system-trusted-certs-path branch from f3bb0b2 to 264ef88 Compare May 4, 2023 14:47
@bungle
Copy link
Member Author

bungle commented May 4, 2023

Alternatively we could make openssl the fallback rather than first priority.

@bungle bungle force-pushed the feat/system-trusted-certs-path branch from 264ef88 to 7ef0fea Compare May 4, 2023 15:13
@pull-request-size pull-request-size bot added size/S and removed size/M labels May 4, 2023
@bungle bungle force-pushed the feat/system-trusted-certs-path branch from 7ef0fea to 8ef2523 Compare May 4, 2023 15:23
@pull-request-size pull-request-size bot added size/M and removed size/S labels May 4, 2023
@bungle bungle force-pushed the feat/system-trusted-certs-path branch from 8ef2523 to a7696c3 Compare May 10, 2023 08:43
@bungle bungle force-pushed the feat/system-trusted-certs-path branch from a7696c3 to b02faf3 Compare June 5, 2023 14:38
for _, cert_dir in ipairs(cert_dirs) do
for _, cert_file in ipairs(cert_files) do
local ca_file = pl_path.join(openssl_dir, cert_dir, cert_file)
if pl_path.exists(ca_file) then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this logic will seldomly get picked up because we ships our own openssl library, and its OPENSSL_DIR is not same as the system openssl dir, which usually doesn't contain the ca file.

Copy link
Member Author

@bungle bungle Jun 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we install root certs then too? Or symlink?

At some point I thought about just downloading this: https://curl.se/docs/caextract.html

### Summary

Previously the code ran through these paths:
- "/etc/ssl/certs/ca-certificates.crt",                -- Debian/Ubuntu/Gentoo
- "/etc/pki/tls/certs/ca-bundle.crt",                  -- Fedora/RHEL 6
- "/etc/ssl/ca-bundle.pem",                            -- OpenSUSE
- "/etc/pki/tls/cacert.pem",                           -- OpenELEC
- "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", -- CentOS/RHEL 7
- "/etc/ssl/cert.pem",                                 -- OpenBSD, Alpine

when trying to find system ca-file.

The commit here asks `openssl` about it and tries from there first.

Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
@vm-001 vm-001 force-pushed the feat/system-trusted-certs-path branch from b02faf3 to 6b86195 Compare August 29, 2023 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 participants