[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in
Re: Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in ca-certificates disabled
Tue, 06 Sep 2011 12:40:16 +0200
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:18.104.22.168) Gecko/20110820 Icedove/3.1.12
On 09/06/2011 12:16 PM, Simon Josefsson wrote:
| $ ls -l /etc/ssl/certs/ca-certificates.crt
| -rw-r--r-- 1 root root 0 Sep 2 00:07 /etc/ssl/certs/ca-certificates.crt
This is probably a libgnutls bug, but since I haven't pinned it down
I'm filing it here. Known problem?
I recall similar problems when I also disabled all CAs on my machine
long time ago. I suspect some software may be checking the return
code from the CA loading function, and will treat loading of 0
certificates as an error. Please try to track down the code that
triggers the error message to test this theory.
I believe it isn't that simple. I think the code that returns the
error in this case can be found here:
... and it clearly checks for a negative return value for it to be an error.
Thanks for the pointer -- I managed to track it down, and installed a
patch for it:
This is tricky. How do you distinguish bad pem encoding from zero
certificates? In any case I think that gnutls_x509_crt_list_import()
should fail on such error, since it was always like that. The fix should
be in gnutls_certificate_set_x509_trust_mem() and friends. I'll try to
check it out.