From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by sourceware.org (Postfix) with ESMTPS id 0D848388C031 for ; Fri, 28 May 2021 17:36:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0D848388C031 Received: by mail-wm1-x335.google.com with SMTP id f6-20020a1c1f060000b0290175ca89f698so5001798wmf.5 for ; Fri, 28 May 2021 10:36:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=Tlncv908hwUn6qkR0IGj6DzWTuKH9ze+wp2hutVtGDE=; b=lmeFMbiC4JzD7acL0Uqpp+Ew4aP4DPNF7mkz/7S76sqBaphJx0nH5KbhSaQih2cbBR eywhj5C0546WufsvI4COZlLojIDjDBmMsCDVB/O4UDl+nST3/o/jVg16aslopXsFn1Af bG60P6f8TFn223n6ezt6MX+DGnAv/SkZho72lJ+7LK/0kdvTDuo5CoYyhma/l53sT66w MjBMZkbMItAI9yKWLhsSejktwvLPFfcixetOgjB7ZNoXihp7KTBWaycSdAkQ7Zup3rYv o7FV+6VaNdmgPjIdDvXKCwuagU1Tc4d2OVoRxeUco6wdfajSv1mVodjWENkIyKPzREg/ 0MqA== X-Gm-Message-State: AOAM533Oc+Ajg53csoyH70BQlg/bik30Q56K42GmrI39O52un4Dqjtmb oAvQaVmBZaGVfnfHWdg+QUvA373bpIflzuXK2NCRq+YamyrjQF4PJBukZhCwL/s3Jzf3RuCbZmx 6L7/C/QuT7Eddz7wHJZ1DO4kyyle2KrEMlAXzCiW69AYY9hDtdhD9YjABB+3QIGfsq0hHHw== X-Google-Smtp-Source: ABdhPJzyEEqzGyz3wlj/aR3eu37Yb/joMAQu78ydwVPnc3YAyGVFRFxmM6COrMCEk1fL8Ke7Wl6miA== X-Received: by 2002:a05:600c:2158:: with SMTP id v24mr3567695wml.178.1622223378023; Fri, 28 May 2021 10:36:18 -0700 (PDT) Received: from bucheron-thinkpad (cpc120850-nrwh12-2-0-cust139.4-4.cable.virginm.net. [82.32.180.140]) by smtp.gmail.com with ESMTPSA id q20sm5154166wrf.45.2021.05.28.10.36.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 May 2021 10:36:17 -0700 (PDT) From: Magne Hov To: elfutils-devel@sourceware.org Subject: Specifying CA certificates for libdebuginfod Date: Fri, 28 May 2021 18:36:17 +0100 Message-ID: <5sr1hqwyjy.fsf@undo.io> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2021 17:36:20 -0000 --=-=-= Content-Type: text/plain Hi, I am posting here to continue a discussion from the #elfutils libera.chat channel about whether libdebuginfod might benefit from having a method of specifying a certificate bundle for libcurl. Normally one would rely on the system's OpenSSL having been configured with up-to-date certificates. However in my use-case I can't depend on up-to-date certificates being installed on the system that I work with, so I package certificates together with my application (which contains libdebuginfod and its dependencies as a portable package). Other components that my application uses already have ways of specifying a certificate bundle. The curl tool supports custom certificates with the CURL_CA_BUNDLE environment variable, but with libcurl one must specify a custom certificate bundle with the CURLOPT_CAINFO option via the API. I propose a new environment variable DEBUGINFOD_CA_BUNDLE or similar which can be used to pass to libcurl. Please see the attached patch below. There is also an option of recognising CURL_CA_BUNDLE as that environment variable is already established by the curl tool, but it could also be good to keep the name separate to libdebuginfod. I think having the option of specifying certificates could also be helpful for other situations such as specifying a self-signed certificate to use with servers under test. Kind regards, Magne --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-libdebuginfod-specify-client-CA-bundle-with-DEBUGINF.patch Content-Description: patch >From 78363eed66c8098961c84980d485f87c8b43f25c Mon Sep 17 00:00:00 2001 From: Magne Hov Date: Tue, 11 May 2021 16:24:51 +0100 Subject: [PATCH] libdebuginfod: specify client CA bundle with DEBUGINFOD_CA_BUNDLE --- debuginfod/debuginfod-client.c | 7 +++++++ debuginfod/debuginfod.h.in | 1 + 2 files changed, 8 insertions(+) diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c index de26af5b..b9165733 100644 --- a/debuginfod/debuginfod-client.c +++ b/debuginfod/debuginfod-client.c @@ -827,6 +827,13 @@ debuginfod_query_server (debuginfod_client *c, curl_easy_setopt(data[i].handle, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(data[i].handle, CURLOPT_HTTPHEADER, c->headers); + /* Pass SSL certificate to libcurl. */ + const char *certfile = getenv(DEBUGINFOD_CA_BUNDLE); + if (certfile != NULL && strlen (certfile) > 0) + { + curl_easy_setopt(data[i].handle, CURLOPT_CAINFO, certfile); + } + curl_multi_add_handle(curlm, data[i].handle); server_url = strtok_r(NULL, url_delim, &strtok_saveptr); } diff --git a/debuginfod/debuginfod.h.in b/debuginfod/debuginfod.h.in index 559ea947..3ed32f19 100644 --- a/debuginfod/debuginfod.h.in +++ b/debuginfod/debuginfod.h.in @@ -35,6 +35,7 @@ #define DEBUGINFOD_TIMEOUT_ENV_VAR "DEBUGINFOD_TIMEOUT" #define DEBUGINFOD_PROGRESS_ENV_VAR "DEBUGINFOD_PROGRESS" #define DEBUGINFOD_VERBOSE_ENV_VAR "DEBUGINFOD_VERBOSE" +#define DEBUGINFOD_CA_BUNDLE "DEBUGINFOD_CA_BUNDLE" /* The libdebuginfod soname. */ #define DEBUGINFOD_SONAME "@LIBDEBUGINFOD_SONAME@" -- 2.25.1 --=-=-=--