Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in ca-certificates disabled

Simon Josefsson simon at josefsson.org
Tue Sep 6 12:16:19 CEST 2011

Daniel Stenberg <daniel at haxx.se> writes:

> On Tue, 6 Sep 2011, Simon Josefsson wrote:
>>> | $ ls -l /etc/ssl/certs/ca-certificates.crt
>>> | -rw-r--r-- 1 root root 0 Sep  2 00:07 /etc/ssl/certs/ca-certificates.crt
>>> This is probably a libgnutls bug, but since I haven't pinned it down
>>> I'm filing it here.  Known problem?
>> I recall similar problems when I also disabled all CAs on my machine
>> long time ago.  I suspect some software may be checking the return
>> code from the CA loading function, and will treat loading of 0
>> certificates as an error. Please try to track down the code that
>> triggers the error message to test this theory.
> I believe it isn't that simple. I think the code that returns the
> error in this case can be found here:
>    https://github.com/bagder/curl/blob/master/lib/gtls.c#L377
> ... and it clearly checks for a negative return value for it to be an error.

Thanks for the pointer -- I managed to track it down, and installed a
patch for it:


Some code may have been relying on getting an error when there were no
certificate at all, but I think it is saner to report success and no
certificates.  That is consistent with the documentation as well.  Let's
hope the change doesn't cause to large problems in practice.


More information about the Gnutls-devel mailing list