[Haiku PM] wget certificate issue

[Giova84]

On Haiku i use a bash script to check new emails on Gmail, this script use wget to grab the feed from Gmail, and then use "notify" to notify me if new mail are present. On the current branch of Haiku it works properly, but on Haiku PM i always got an error when wget is running:

~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass https://mail.google.com/mail/feed/atom -O - > /boot/common/cache/tmp/gmail.tmp
--2013-09-24 23:10:28--  https://mail.google.com/mail/feed/atom
Resolving mail.google.com... 173.194.35.54, 173.194.35.53
Connecting to mail.google.com|173.194.35.54|:443... connected.
ERROR: cannot verify mail.google.com's certificate, issued by `/C=US/O=Google Inc/CN=Google Internet Authority G2':
  Unable to locally verify the issuer's authority.
To connect to mail.google.com insecurely, use `--no-check-certificate'.
~> 

Instead this is the correct process on current Haiku:

~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass https://mail.google.com/mail/feed/atom -O - > /boot/common/cache/tmp/gmail.tmp
--2013-09-24 23:13:03--  https://mail.google.com/mail/feed/atom
Resolving mail.google.com... 173.194.35.54, 173.194.35.53
Connecting to mail.google.com|173.194.35.54|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to mail.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/xml]
Saving to: `STDOUT'

    [ <=>                              ] 351         --.-K/s   in 0s      

2013-09-24 23:13:03 (335 MB/s) - written to stdout [351]
~>

[bonefish]

I suspect the cause of the issue is that the root CA certificates which were formerly installed in /boot/common have moved to /boot/system with PM and the old path was still used somewhere. With hrev46167 /boot/common is gone and various paths have been adjusted. So please check whether the issue is solved now.

[Giova84]

hrev46179 This issue is still here.

[Giova84]

Just for the record: this issue is still present in hrev46276

[diver]

AFAIK kallisti5 was going to fix it :-)

[pulkomandy]

The issue is the OpenSSL port looking for cert.pem, but we name the file CARootCertificates.pem. Possible fix part of this huge pull request: ​http://bb.haikuports.org/haikuports/pull-request/167/multiple-updates-openssl-exiv2-gzip

Renaming the certificate file would also work.

[kallisti5]

setting this to critical as PM uses a lot of https to pull SRC'es.

[kallisti5]

I have a patchset for 1.0.1h. Doing testing and will upload a new recipe over the next few days. Long term i'd like to see us move away from openssl as the code smells horrible (libressl is nice once the OpenBSD centric stuff is removed, or maybe Mozilla's nss)

[pulkomandy]

... or GnuTLS, or PolarSSL, or CyaSSL. Who wants to write recipes for them?

[kallisti5]

Found the source of this issue.

We are putting our CA certificate in /boot/system/data/ssl/ vs /boot/system/data/ssl/certs/

curl and wget were "fixed" via ​https://bitbucket.org/haikuports/haikuports/src/687a8bdf9579eda98197b329896fbc681ebd43a0/net-misc/curl/curl-7.37.0.recipe?at=master#cl-52 and ​https://bitbucket.org/haikuports/haikuports/src/687a8bdf9579eda98197b329896fbc681ebd43a0/net-misc/wget/wget-1.15.recipe?at=master#cl-67

The wget hack to give this new path is a settings file.. however that won't be picked up by wget running within haikuporter as it is a chroot.

We need to see if moving the certificate to certs fixes the issue and enables us to drop the hacks.

[waddlesplash]

OpenSSL configuration was changed, fixing the problem on other apps (e.g. QupZilla).