Fixes YOCTO #16077
Commit 0f98fecd (a backport of 4909a46e) broke HTTPS downloads in opkg in the
SDK, they now fail with:
> SSL certificate problem: self-signed certificate in certificate chain
The root cause is a difference in the handling of related env vars between
curl-cli and libcurl. The CLI will honour CURL_CA_BUNDLE and SSL_CERT_DIR|FILE
(see [0]). Those are set in the SDK via env setup scripts like [1], so curl
continued to work. The library however does not handle those env vars. Thus,
unless the program utilizing libcurl has implemented a similar mechanism itself
and configures libcurl accordingly via the API (like for example Git in [2] and
[3]), there will be no default CA bundle configured to verify certificates
against.
Opkg only supports setting the CA bundle path via config options 'ssl_ca_file'
and 'ssl_ca_path'. Upstreaming and then backporting a patch to add env var
support is not a feasible short-time fix for the issue at hand. Instead it's
better to ship libcurl in the SDK with a sensible built-in default - which also
helps any other libcurl users.
This patch is based on a proposal by Peter.Marko@siemens.com in the related
mailing list discussion at [4].
(cherry picked from commit 3f819f57aa1960af36ac0448106d1dce7f38c050)
[0]: 400fffa90f/src/tool_operate.c (L2056-L2084)
[1]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl/environment.d-curl.sh?id=3a15ca2a784539098e95a3a06dec7c39f23db985
[2]: 6ab38b7e9c/http.c (L1389)
[3]: 6ab38b7e9c/http.c (L1108-L1109)
[4]: https://lists.openembedded.org/g/openembedded-core/topic/115993530#msg226751
(From OE-Core rev: 0e553b685c0a987a7be1eee16b7b5e3e48a036e2)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
CC: matthias.schiffer@ew.tq-group.com
CC: Peter.Marko@siemens.com
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
d792f1a83e