#10016 closed bug (fixed)
[Haiku PM] wget certificate issue
Reported by: | Giova84 | Owned by: | kallisti5 |
---|---|---|---|
Priority: | critical | Milestone: | R1/beta1 |
Component: | Applications/Command Line Tools | Version: | R1/Package Management |
Keywords: | wget certificate issue | Cc: | |
Blocked By: | Blocking: | ||
Platform: | All |
Description
On Haiku i use a bash script to check new emails on Gmail, this script use wget to grab the feed from Gmail, and then use "notify" to notify me if new mail are present. On the current branch of Haiku it works properly, but on Haiku PM i always got an error when wget is running:
~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass https://mail.google.com/mail/feed/atom -O - > /boot/common/cache/tmp/gmail.tmp --2013-09-24 23:10:28-- https://mail.google.com/mail/feed/atom Resolving mail.google.com... 173.194.35.54, 173.194.35.53 Connecting to mail.google.com|173.194.35.54|:443... connected. ERROR: cannot verify mail.google.com's certificate, issued by `/C=US/O=Google Inc/CN=Google Internet Authority G2': Unable to locally verify the issuer's authority. To connect to mail.google.com insecurely, use `--no-check-certificate'. ~>
Instead this is the correct process on current Haiku:
~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass https://mail.google.com/mail/feed/atom -O - > /boot/common/cache/tmp/gmail.tmp --2013-09-24 23:13:03-- https://mail.google.com/mail/feed/atom Resolving mail.google.com... 173.194.35.54, 173.194.35.53 Connecting to mail.google.com|173.194.35.54|:443... connected. HTTP request sent, awaiting response... 401 Unauthorized Reusing existing connection to mail.google.com:443. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/xml] Saving to: `STDOUT' [ <=> ] 351 --.-K/s in 0s 2013-09-24 23:13:03 (335 MB/s) - written to stdout [351] ~>
Change History (12)
comment:1 by , 11 years ago
comment:4 by , 11 years ago
Owner: | changed from | to
---|---|
Platform: | x86 → All |
Status: | new → assigned |
AFAIK kallisti5 was going to fix it :-)
comment:5 by , 11 years ago
Milestone: | R1 → R1/alpha5 |
---|
comment:6 by , 11 years ago
The issue is the OpenSSL port looking for cert.pem, but we name the file CARootCertificates.pem. Possible fix part of this huge pull request: http://bb.haikuports.org/haikuports/pull-request/167/multiple-updates-openssl-exiv2-gzip
Renaming the certificate file would also work.
comment:7 by , 11 years ago
Priority: | normal → critical |
---|
setting this to critical as PM uses a lot of https to pull SRC'es.
comment:8 by , 11 years ago
Status: | assigned → in-progress |
---|
I have a patchset for 1.0.1h. Doing testing and will upload a new recipe over the next few days. Long term i'd like to see us move away from openssl as the code smells horrible (libressl is nice once the OpenBSD centric stuff is removed, or maybe Mozilla's nss)
comment:9 by , 11 years ago
... or GnuTLS, or PolarSSL, or CyaSSL. Who wants to write recipes for them?
comment:10 by , 11 years ago
Found the source of this issue.
We are putting our CA certificate in /boot/system/data/ssl/ vs /boot/system/data/ssl/certs/
curl and wget were "fixed" via https://bitbucket.org/haikuports/haikuports/src/687a8bdf9579eda98197b329896fbc681ebd43a0/net-misc/curl/curl-7.37.0.recipe?at=master#cl-52 and https://bitbucket.org/haikuports/haikuports/src/687a8bdf9579eda98197b329896fbc681ebd43a0/net-misc/wget/wget-1.15.recipe?at=master#cl-67
The wget hack to give this new path is a settings file.. however that won't be picked up by wget running within haikuporter as it is a chroot.
We need to see if moving the certificate to certs fixes the issue and enables us to drop the hacks.
comment:11 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | in-progress → closed |
OpenSSL configuration was changed, fixing the problem on other apps (e.g. QupZilla).
comment:12 by , 10 years ago
Milestone: | R1/alpha5 → R1/beta1 |
---|
I suspect the cause of the issue is that the root CA certificates which were formerly installed in /boot/common have moved to /boot/system with PM and the old path was still used somewhere. With hrev46167 /boot/common is gone and various paths have been adjusted. So please check whether the issue is solved now.