From 3ae77f079a4a0ea61013a8bde298db99fa74a1b3 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Thu, 25 Feb 2016 01:55:38 -0500 Subject: [PATCH] configure: warn on invalid ca bundle or path - Warn if --with-ca-bundle file does not exist. - Warn if --with-ca-path directory does not contain certificates. - Improve help messages for both. Example configure output: ca cert bundle: /some/file (warning: certs not found) ca cert path: /some/dir (warning: certs not found) Bug: https://github.com/curl/curl/issues/404 Reported-by: Jeffrey Walton --- acinclude.m4 | 44 ++++++++++++++++++++++++++++++++++++-------- configure.ac | 4 ++-- 2 files changed, 38 insertions(+), 10 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index 037c27d7c..4f25ac636 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -2570,7 +2570,8 @@ AC_DEFUN([CURL_CHECK_CA_BUNDLE], [ AC_MSG_CHECKING([default CA cert bundle/path]) AC_ARG_WITH(ca-bundle, -AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle]) +AC_HELP_STRING([--with-ca-bundle=FILE], +[Path to a file containing CA certificates (example: /etc/ca-bundle.crt)]) AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]), [ want_ca="$withval" @@ -2580,7 +2581,11 @@ AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]), ], [ want_ca="unset" ]) AC_ARG_WITH(ca-path, -AC_HELP_STRING([--with-ca-path=DIRECTORY], [Directory to use as CA path]) +AC_HELP_STRING([--with-ca-path=DIRECTORY], +[Path to a directory containing CA certificates stored individually, with \ +their filenames in a hash format. This option can be used with OpenSSL, \ +GnuTLS and PolarSSL backends. Refer to OpenSSL c_rehash for details. \ +(example: /etc/certificates)]) AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), [ want_capath="$withval" @@ -2590,6 +2595,10 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), ], [ want_capath="unset"]) + ca_warning=" (warning: certs not found)" + capath_warning=" (warning: certs not found)" + check_capath="" + if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \ "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then dnl both given @@ -2638,12 +2647,7 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), fi if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \ "x$OPENSSL_ENABLED" = "x1"; then - for a in /etc/ssl/certs/; do - if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then - capath="$a" - break - fi - done + check_capath="/etc/ssl/certs/" fi else dnl no option given and cross-compiling @@ -2651,6 +2655,30 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), fi fi + if test "x$ca" = "xno" || test -f "$ca"; then + ca_warning="" + fi + + if test "x$capath" != "xno"; then + check_capath="$capath" + fi + + if test ! -z "$check_capath"; then + for a in "$check_capath"; do + if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then + if test "x$capath" = "xno"; then + capath="$a" + fi + capath_warning="" + break + fi + done + fi + + if test "x$capath" = "xno"; then + capath_warning="" + fi + if test "x$ca" != "xno"; then CURL_CA_BUNDLE='"'$ca'"' AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [Location of default ca bundle]) diff --git a/configure.ac b/configure.ac index b235cdf9a..b208d4d11 100644 --- a/configure.ac +++ b/configure.ac @@ -3891,8 +3891,8 @@ AC_MSG_NOTICE([Configured to build curl/libcurl: --libcurl option: ${curl_libcurl_msg} Verbose errors: ${curl_verbose_msg} SSPI support: ${curl_sspi_msg} - ca cert bundle: ${ca} - ca cert path: ${capath} + ca cert bundle: ${ca}${ca_warning} + ca cert path: ${capath}${capath_warning} ca fallback: ${with_ca_fallback} LDAP support: ${curl_ldap_msg} LDAPS support: ${curl_ldaps_msg}