Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in ca-certificates disabled

Simon Josefsson simon at josefsson.org
Tue Sep 6 12:16:19 CEST 2011


Daniel Stenberg <daniel at haxx.se> writes:

> On Tue, 6 Sep 2011, Simon Josefsson wrote:
>
>>> | $ ls -l /etc/ssl/certs/ca-certificates.crt
>>> | -rw-r--r-- 1 root root 0 Sep  2 00:07 /etc/ssl/certs/ca-certificates.crt
>>>
>>> This is probably a libgnutls bug, but since I haven't pinned it down
>>> I'm filing it here.  Known problem?
>>
>> I recall similar problems when I also disabled all CAs on my machine
>> long time ago.  I suspect some software may be checking the return
>> code from the CA loading function, and will treat loading of 0
>> certificates as an error. Please try to track down the code that
>> triggers the error message to test this theory.
>
> I believe it isn't that simple. I think the code that returns the
> error in this case can be found here:
>
>    https://github.com/bagder/curl/blob/master/lib/gtls.c#L377
>
> ... and it clearly checks for a negative return value for it to be an error.

Thanks for the pointer -- I managed to track it down, and installed a
patch for it:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=ab782d356200f44736edb687304d5e90438e2185

Some code may have been relying on getting an error when there were no
certificate at all, but I think it is saner to report success and no
certificates.  That is consistent with the documentation as well.  Let's
hope the change doesn't cause to large problems in practice.

/Simon




More information about the Gnutls-devel mailing list