[Buildroot] [PATCH] Revert "dependencies: check that SSL certificates are installed"

Baruch Siach baruch at tkos.co.il
Sun May 26 08:24:36 UTC 2013 

Hi Thomas,

On Sun, May 26, 2013 at 09:49:20AM +0200, Thomas Petazzoni wrote:
> On Sun, 26 May 2013 05:47:07 +0300, Baruch Siach wrote:
> > On Mon, May 20, 2013 at 09:27:27AM +0300, Baruch Siach wrote:
> > > This reverts commit d66cd067f3dc3d5e2479e1e8c05f24fd82329f7a.
> > > 
> > > SSL certificates are no always installed in /etc/ssl/certs. For example, on
> > > CentOS 5.6 the default OpenSSL certificates directory is /etc/pki/tls/certs,
> > > and wget can download using https without any problem.
> > > 
> > > Moreover, the existence of /etc/ssl/certs does not guarantee the presence of a
> > > CA certificates bundle even on Debian. On my current Debian testing
> > > installation the openssl package itself creates an empty /etc/ssl/certs
> > > directory.
> > > 
> > > Signed-off-by: Baruch Siach <baruch at tkos.co.il>
> > > ---
> > 
> > As the author of d66cd067f3, what do you think?
> 
> Well, d66cd067f3 was written because if you install a very minimal
> system, you may not have the SSL certificates installed, which prevents
> any download from https:// website. So I added a quick check for that.

How about adding a config option (disabled by default) that adds 
--no-check-certificate to the wget command? We may event monitor the wget exit 
status and advice the user to enable this options when we see the status = 5 
(SSL verification failure).

> However, apparently, the location of such certificates is not fixed
> between various systems, so clearly my patch doesn't work properly.

Well, 'openssl version -d' does give you the default location where OpenSSL 
expects certificates to be. However, as I said in the commit log, the presence 
of this directory doesn't necessarily mean that you actually have any 
certificate in this location. On Debian if you uninstall ca-certificates 
you'll still have /etc/ssh/certs.

> I see two options here:
> 
>  (1) Apply your patch, and assume that in most systems, SSL
>      certificates are always installed. The case I had what when you
>      create a very minimal Debian system, but most people probably use
>      a more full-featured system, and it's pretty likely that SSL
>      certificates are already installed.
> 
>  (2) Replace the test by a test that wget some well-known https:// URL,
>      and if it doesn't work, say that SSL certificates are not
>      available. But I don't like this too much, because this means that
>      at every invocation of 'make', Buildroot will try to download
>      something from the network.
> 
> So, for now, I believe option (1) is the only viable one, unless there
> is some local command that allows to check whether SSL certificates are
> installed or not.

So is this an Acked-by from you?

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -

More information about the buildroot mailing list