-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLSv1.2 and CA certificates in curl #450
Comments
Thanks for bringing this to our attention, sorry about this. We should definitely fix up the issue of which it's linking against and just get it straightened out with openssl for TLS. Regarding certificates, there were some prior changes that removed them. We'll have to figure out a new strategy there, given the differing opinions on what should and shouldn't be trusted. |
Looking at the explicit dependencies, curl and libcurl appear to be using openssl for TLS; however, because curl links against libldap, that's where nss gets pulled in from. |
Ah, that explains the use of NSS! So it is really the lack of TLSv1.2 and CA certs in libsunw_{crypto,ssl}. |
My use case is getting cron jobs in the global zone (I want to monitor the health of my zpools) to send me mail, but submitting to gmail using SMTP AUTH. Turns out curl can do that... |
Looking at the latest versions of SmartOS I'm seeing the native /usr/bin/curl properly using TLS v1.2. If we're seeing additional issues here, can you comment on this @chrisridd? |
With a default setup, global zone curl continues to lack SSL certificates, e.g. for downloading scripts from GitHub. Is there some SmartOS command we can run to install these missing certificates? Does SmartOS pkgin/pkgsrc feature a "ca-certificates" package like with other UNIX distributions? $ curl 'https://raw.githubusercontent.com/mcandre/usermod-p-shim/master/usermod-p.awk'
curl: (77) error setting certificate verify locations:
CAFile: /etc/ssl/certs/ca-certificates.crt
CAPath: none
$ ls -Ahl /etc/ssl
/etc/ssl: No such file or directory |
My personal use case is using curl to submit over SSL to gmail. I’m not sure what the rationale behind SmartOS not shipping any ca-certs is, but it really isn’t helpful when the Internet is more and more using SSL by default. |
You could install the SmartOS GZ tools pkgsrc set from https://pkgsrc.joyent.com/install-on-illumos/ and then configure curl with e.g.
|
without some base case TLS CA certs in the global zone, in particular that trust pkgsrc.joyent.com, how do I securely bootstrap an instance? |
The pkgsrc bootstrap checksums are published and can be verified independently, so unless there is a SHA-1 collision, that will get you the mozilla-rootcerts package providing the certificates you need for further operations. FWIW I'd also like to see the GZ ship a cacerts bundle. I understand the reasons for not wanting to (NetBSD doesn't ship with them by default either), but my opinion is that those who do not trust the default set of roots are likely to be capable of changing them, whereas not shipping them penalises everyone. |
I was trying to fetch cmake source tarball in global zone, mozilla-rootcets package installed, but yet getting the error: (found some certs in a bit different location $ curl -vsSLO https://github.com/Kitware/CMake/releases/download/v3.16.4/cmake-3.16.4.tar.gz --capath /opt/local/etc/openssl/certs/
* Trying 140.82.118.3...
* TCP_NODELAY set
* Failed to set TCP_KEEPALIVE on fd 4
* Connected to github.com (140.82.118.3) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /opt/local/etc/openssl/certs/
* Curl_http_done: called premature == 0
* Closing connection 0
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /opt/local/etc/openssl/certs/ use Update: to globally make curl work with echo insecure >> $HOME/.curlrc |
The version of curl installed in the global zone only supports old and less secure versions of TLS. It would be very useful to support TLSv1.2.
In a related issue, curl is unable to trust any external SSL server as by default there is no database of CA certificates in the global zone. (curl claims to have been built with OpenSSL, but is also linked against the NSS libraries - which libraries are actually being used for TLS?)
The text was updated successfully, but these errors were encountered: