Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#10016 closed bug (fixed)

[Haiku PM] wget certificate issue

Reported by: Giova84 Owned by: kallisti5
Priority: critical Milestone: R1/beta1
Component: Applications/Command Line Tools Version: R1/Package Management
Keywords: wget certificate issue Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

On Haiku i use a bash script to check new emails on Gmail, this script use wget to grab the feed from Gmail, and then use "notify" to notify me if new mail are present. On the current branch of Haiku it works properly, but on Haiku PM i always got an error when wget is running:

~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass https://mail.google.com/mail/feed/atom -O - > /boot/common/cache/tmp/gmail.tmp
--2013-09-24 23:10:28--  https://mail.google.com/mail/feed/atom
Resolving mail.google.com... 173.194.35.54, 173.194.35.53
Connecting to mail.google.com|173.194.35.54|:443... connected.
ERROR: cannot verify mail.google.com's certificate, issued by `/C=US/O=Google Inc/CN=Google Internet Authority G2':
  Unable to locally verify the issuer's authority.
To connect to mail.google.com insecurely, use `--no-check-certificate'.
~> 

Instead this is the correct process on current Haiku:

~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass https://mail.google.com/mail/feed/atom -O - > /boot/common/cache/tmp/gmail.tmp
--2013-09-24 23:13:03--  https://mail.google.com/mail/feed/atom
Resolving mail.google.com... 173.194.35.54, 173.194.35.53
Connecting to mail.google.com|173.194.35.54|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to mail.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/xml]
Saving to: `STDOUT'

    [ <=>                              ] 351         --.-K/s   in 0s      

2013-09-24 23:13:03 (335 MB/s) - written to stdout [351]
~>

Change History (12)

comment:1 by bonefish, 6 years ago

I suspect the cause of the issue is that the root CA certificates which were formerly installed in /boot/common have moved to /boot/system with PM and the old path was still used somewhere. With hrev46167 /boot/common is gone and various paths have been adjusted. So please check whether the issue is solved now.

comment:2 by Giova84, 6 years ago

hrev46179 This issue is still here.

comment:3 by Giova84, 6 years ago

Just for the record: this issue is still present in hrev46276

comment:4 by diver, 6 years ago

Owner: changed from nobody to kallisti5
Platform: x86All
Status: newassigned

AFAIK kallisti5 was going to fix it :-)

comment:5 by kallisti5, 6 years ago

Milestone: R1R1/alpha5

comment:6 by pulkomandy, 5 years ago

The issue is the OpenSSL port looking for cert.pem, but we name the file CARootCertificates.pem. Possible fix part of this huge pull request: http://bb.haikuports.org/haikuports/pull-request/167/multiple-updates-openssl-exiv2-gzip

Renaming the certificate file would also work.

comment:7 by kallisti5, 5 years ago

Priority: normalcritical

setting this to critical as PM uses a lot of https to pull SRC'es.

comment:8 by kallisti5, 5 years ago

Status: assignedin-progress

I have a patchset for 1.0.1h. Doing testing and will upload a new recipe over the next few days. Long term i'd like to see us move away from openssl as the code smells horrible (libressl is nice once the OpenBSD centric stuff is removed, or maybe Mozilla's nss)

comment:9 by pulkomandy, 5 years ago

... or GnuTLS, or PolarSSL, or CyaSSL. Who wants to write recipes for them?

comment:10 by kallisti5, 5 years ago

Found the source of this issue.

We are putting our CA certificate in /boot/system/data/ssl/ vs /boot/system/data/ssl/certs/

curl and wget were "fixed" via https://bitbucket.org/haikuports/haikuports/src/687a8bdf9579eda98197b329896fbc681ebd43a0/net-misc/curl/curl-7.37.0.recipe?at=master#cl-52 and https://bitbucket.org/haikuports/haikuports/src/687a8bdf9579eda98197b329896fbc681ebd43a0/net-misc/wget/wget-1.15.recipe?at=master#cl-67

The wget hack to give this new path is a settings file.. however that won't be picked up by wget running within haikuporter as it is a chroot.

We need to see if moving the certificate to certs fixes the issue and enables us to drop the hacks.

comment:11 by waddlesplash, 5 years ago

Resolution: fixed
Status: in-progressclosed

OpenSSL configuration was changed, fixing the problem on other apps (e.g. QupZilla).

comment:12 by pulkomandy, 5 years ago

Milestone: R1/alpha5R1/beta1
Note: See TracTickets for help on using tickets.