[Buildroot] [PATCH] package/libcurl: Also specify the CA bundle location

[Buildroot] [PATCH] package/libcurl: Also specify the CA bundle location

[Lance Fredrickson]

From: Lance Fredrickson <lancethepants@gmail.com>

Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
---
 package/libcurl/libcurl.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 2066ba0388..509feeab64 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -67,7 +67,8 @@ endif
 ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
 LIBCURL_DEPENDENCIES += openssl
 LIBCURL_CONF_OPTS += --with-openssl=$(STAGING_DIR)/usr \
-	--with-ca-path=/etc/ssl/certs
+	--with-ca-path=/etc/ssl/certs \
+	--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
 else
 LIBCURL_CONF_OPTS += --without-openssl
 endif
-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libcurl: Also specify the CA bundle location

[Lance Fredrickson]

This is a patch I've carried for my project where I only keep the ca 
bundle. The ca-certificates package does install the bundle and distros 
like debian do specify a ca path & a ca bundle when configuring.

https://salsa.debian.org/debian/curl/-/blob/debian/unstable/debian/rules?ref_type=heads#L20 


Lance

On 4/17/2025 1:05 PM, Lance Fredrickson wrote:
> From: Lance Fredrickson <lancethepants@gmail.com>
>
> Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
> ---
>   package/libcurl/libcurl.mk | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 2066ba0388..509feeab64 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -67,7 +67,8 @@ endif
>   ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
>   LIBCURL_DEPENDENCIES += openssl
>   LIBCURL_CONF_OPTS += --with-openssl=$(STAGING_DIR)/usr \
> -	--with-ca-path=/etc/ssl/certs
> +	--with-ca-path=/etc/ssl/certs \
> +	--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
>   else
>   LIBCURL_CONF_OPTS += --without-openssl
>   endif

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libcurl: Also specify the CA bundle location

[Peter Korsgaard]

>>>>> "Lance" == Lance Fredrickson <lancethepants@gmail.com> writes:

 > From: Lance Fredrickson <lancethepants@gmail.com>
 > Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>

Why? What does that change?

> ---
 >  package/libcurl/libcurl.mk | 3 ++-
 >  1 file changed, 2 insertions(+), 1 deletion(-)

 > diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
 > index 2066ba0388..509feeab64 100644
 > --- a/package/libcurl/libcurl.mk
 > +++ b/package/libcurl/libcurl.mk
 > @@ -67,7 +67,8 @@ endif
 >  ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
 >  LIBCURL_DEPENDENCIES += openssl
 >  LIBCURL_CONF_OPTS += --with-openssl=$(STAGING_DIR)/usr \
 > -	--with-ca-path=/etc/ssl/certs
 > +	--with-ca-path=/etc/ssl/certs \
 > +	--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
 >  else
 >  LIBCURL_CONF_OPTS += --without-openssl
 >  endif
 > -- 

 > 2.39.5

 > _______________________________________________
 > buildroot mailing list
 > buildroot@buildroot.org
 > https://lists.buildroot.org/mailman/listinfo/buildroot


-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libcurl: Also specify the CA bundle location

[Lance Fredrickson]

I somehow missed this email.

On 5/17/2025 2:32 PM, Peter Korsgaard wrote:
>>>>>> "Lance" == Lance Fredrickson <lancethepants@gmail.com> writes:
>   > From: Lance Fredrickson <lancethepants@gmail.com>
>   > Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
>
> Why? What does that change?
This just adds the ability to also verify against ca-certificates.crt. I 
remove all other certs and just keep this one.
Debian defines it as well. 
https://salsa.debian.org/debian/curl/-/blob/debian/unstable/debian/rules?ref_type=heads#L20 


And the cert bundle is also installed.

         # Install the certificates bundle
         $(INSTALL) -D -m 644 $(BUILD_DIR)/ca-certificates.crt \
                 $(TARGET_DIR)/etc/ssl/certs/ca-certificates.crt

>
>> ---
>   >  package/libcurl/libcurl.mk | 3 ++-
>   >  1 file changed, 2 insertions(+), 1 deletion(-)
>
>   > diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
>   > index 2066ba0388..509feeab64 100644
>   > --- a/package/libcurl/libcurl.mk
>   > +++ b/package/libcurl/libcurl.mk
>   > @@ -67,7 +67,8 @@ endif
>   >  ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
>   >  LIBCURL_DEPENDENCIES += openssl
>   >  LIBCURL_CONF_OPTS += --with-openssl=$(STAGING_DIR)/usr \
>   > -	--with-ca-path=/etc/ssl/certs
>   > +	--with-ca-path=/etc/ssl/certs \
>   > +	--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
>   >  else
>   >  LIBCURL_CONF_OPTS += --without-openssl
>   >  endif
>   > --
>
>   > 2.39.5
>
>   > _______________________________________________
>   > buildroot mailing list
>   > buildroot@buildroot.org
>   > https://lists.buildroot.org/mailman/listinfo/buildroot
>
>

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libcurl: Also specify the CA bundle location

[Arnout Vandecappelle via buildroot]

  Hi Lance,

On 17/04/2025 21:05, Lance Fredrickson wrote:
> From: Lance Fredrickson <lancethepants@gmail.com>
> 
> Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>

  Applied to master, thanks. I extended the commit message quite a bit.

     package/libcurl: also specify the CA bundle location

     When given a certificate directory with --with-ca-path, curl doesn't
     list the files in that directory. Instead, it uses the certificate hash
     to directly open the requested CA certificate. Therefore, putting a
     bundle in that directory and removing all the individual certificates is
     not possible.

     In order to support use of the bundle, a separate configuration option
     --with-ca-bundle is needed. With this option, it is possible to remove
     the individual certificates and include just the bundle, which reduces
     the size of the root filesystem a bit.

     Note that the bundle is generated by the ca-certificates package, which
     also installs the individual certificates and the hash symlinks. It
     keeps both individual certificates and the bundle in the target.

  Regards,
  Arnout

> ---
>   package/libcurl/libcurl.mk | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 2066ba0388..509feeab64 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -67,7 +67,8 @@ endif
>   ifeq ($(BR2_PACKAGE_LIBCURL_OPENSSL),y)
>   LIBCURL_DEPENDENCIES += openssl
>   LIBCURL_CONF_OPTS += --with-openssl=$(STAGING_DIR)/usr \
> -	--with-ca-path=/etc/ssl/certs
> +	--with-ca-path=/etc/ssl/certs \
> +	--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
>   else
>   LIBCURL_CONF_OPTS += --without-openssl
>   endif

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot