Hi,
I am posting here to continue a discussion from the #elfutils
libera.chat channel about whether libdebuginfod might benefit from
having a method of specifying a certificate bundle for libcurl.
Normally one would rely on the system's OpenSSL having been configured
with up-to-date certificates. However in my use-case I can't depend on
up-to-date certificates being installed on the system that I work with,
so I package certificates together with my application (which contains
libdebuginfod and its dependencies as a portable package).
Other components that my application uses already have ways of
specifying a certificate bundle. The curl tool supports custom
certificates with the CURL_CA_BUNDLE environment variable, but with
libcurl one must specify a custom certificate bundle with the
CURLOPT_CAINFO option via the API. I propose a new environment variable
DEBUGINFOD_CA_BUNDLE or similar which can be used to pass to libcurl.
Please see the attached patch below.
There is also an option of recognising CURL_CA_BUNDLE as that
environment variable is already established by the curl tool, but it
could also be good to keep the name separate to libdebuginfod.
I think having the option of specifying certificates could also be
helpful for other situations such as specifying a self-signed
certificate to use with servers under test.
Kind regards,
Magne
>From 78363eed66c8098961c84980d485f87c8b43f25c Mon Sep 17 00:00:00 2001
From: Magne Hov <m...@undo.io>
Date: Tue, 11 May 2021 16:24:51 +0100
Subject: [PATCH] libdebuginfod: specify client CA bundle with
DEBUGINFOD_CA_BUNDLE
---
debuginfod/debuginfod-client.c | 7 +++++++
debuginfod/debuginfod.h.in | 1 +
2 files changed, 8 insertions(+)
diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
index de26af5b..b9165733 100644
--- a/debuginfod/debuginfod-client.c
+++ b/debuginfod/debuginfod-client.c
@@ -827,6 +827,13 @@ debuginfod_query_server (debuginfod_client *c,
curl_easy_setopt(data[i].handle, CURLOPT_ACCEPT_ENCODING, "");
curl_easy_setopt(data[i].handle, CURLOPT_HTTPHEADER, c->headers);
+ /* Pass SSL certificate to libcurl. */
+ const char *certfile = getenv(DEBUGINFOD_CA_BUNDLE);
+ if (certfile != NULL && strlen (certfile) > 0)
+ {
+ curl_easy_setopt(data[i].handle, CURLOPT_CAINFO, certfile);
+ }
+
curl_multi_add_handle(curlm, data[i].handle);
server_url = strtok_r(NULL, url_delim, &strtok_saveptr);
}
diff --git a/debuginfod/debuginfod.h.in b/debuginfod/debuginfod.h.in
index 559ea947..3ed32f19 100644
--- a/debuginfod/debuginfod.h.in
+++ b/debuginfod/debuginfod.h.in
@@ -35,6 +35,7 @@
#define DEBUGINFOD_TIMEOUT_ENV_VAR "DEBUGINFOD_TIMEOUT"
#define DEBUGINFOD_PROGRESS_ENV_VAR "DEBUGINFOD_PROGRESS"
#define DEBUGINFOD_VERBOSE_ENV_VAR "DEBUGINFOD_VERBOSE"
+#define DEBUGINFOD_CA_BUNDLE "DEBUGINFOD_CA_BUNDLE"
/* The libdebuginfod soname. */
#define DEBUGINFOD_SONAME "@LIBDEBUGINFOD_SONAME@"
--
2.25.1
