Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TLSv1.2 and CA certificates in curl #450

Closed
chrisridd opened this issue May 27, 2015 · 11 comments
Closed

Support TLSv1.2 and CA certificates in curl #450

chrisridd opened this issue May 27, 2015 · 11 comments
Assignees

Comments

@chrisridd
Copy link

The version of curl installed in the global zone only supports old and less secure versions of TLS. It would be very useful to support TLSv1.2.

In a related issue, curl is unable to trust any external SSL server as by default there is no database of CA certificates in the global zone. (curl claims to have been built with OpenSSL, but is also linked against the NSS libraries - which libraries are actually being used for TLS?)

@rmustacc rmustacc self-assigned this May 27, 2015
@rmustacc
Copy link
Contributor

Thanks for bringing this to our attention, sorry about this. We should definitely fix up the issue of which it's linking against and just get it straightened out with openssl for TLS. Regarding certificates, there were some prior changes that removed them. We'll have to figure out a new strategy there, given the differing opinions on what should and shouldn't be trusted.

@rmustacc
Copy link
Contributor

Looking at the explicit dependencies, curl and libcurl appear to be using openssl for TLS; however, because curl links against libldap, that's where nss gets pulled in from.

@chrisridd
Copy link
Author

Ah, that explains the use of NSS! So it is really the lack of TLSv1.2 and CA certs in libsunw_{crypto,ssl}.

@chrisridd
Copy link
Author

My use case is getting cron jobs in the global zone (I want to monitor the health of my zpools) to send me mail, but submitting to gmail using SMTP AUTH. Turns out curl can do that...

@rmustacc
Copy link
Contributor

rmustacc commented Jul 7, 2015

Looking at the latest versions of SmartOS I'm seeing the native /usr/bin/curl properly using TLS v1.2. If we're seeing additional issues here, can you comment on this @chrisridd?

@rmustacc rmustacc closed this as completed Jul 7, 2015
@mcandre
Copy link

mcandre commented Feb 25, 2018

With a default setup, global zone curl continues to lack SSL certificates, e.g. for downloading scripts from GitHub. Is there some SmartOS command we can run to install these missing certificates? Does SmartOS pkgin/pkgsrc feature a "ca-certificates" package like with other UNIX distributions?

$ curl 'https://raw.githubusercontent.com/mcandre/usermod-p-shim/master/usermod-p.awk'
curl: (77) error setting certificate verify locations:
  CAFile: /etc/ssl/certs/ca-certificates.crt
  CAPath: none

$ ls -Ahl /etc/ssl
/etc/ssl: No such file or directory

@chrisridd
Copy link
Author

My personal use case is using curl to submit over SSL to gmail.

I’m not sure what the rationale behind SmartOS not shipping any ca-certs is, but it really isn’t helpful when the Internet is more and more using SSL by default.

@jperkin
Copy link

jperkin commented Feb 25, 2018

You could install the SmartOS GZ tools pkgsrc set from https://pkgsrc.joyent.com/install-on-illumos/ and then configure curl with e.g. /root/.curlrc containing

--capath /opt/tools/etc/openssl/certs

@andrewrothstein
Copy link

without some base case TLS CA certs in the global zone, in particular that trust pkgsrc.joyent.com, how do I securely bootstrap an instance?

@jperkin
Copy link

jperkin commented Mar 1, 2018

The pkgsrc bootstrap checksums are published and can be verified independently, so unless there is a SHA-1 collision, that will get you the mozilla-rootcerts package providing the certificates you need for further operations.

FWIW I'd also like to see the GZ ship a cacerts bundle. I understand the reasons for not wanting to (NetBSD doesn't ship with them by default either), but my opinion is that those who do not trust the default set of roots are likely to be capable of changing them, whereas not shipping them penalises everyone.

@am11
Copy link

am11 commented Feb 8, 2020

I was trying to fetch cmake source tarball in global zone, mozilla-rootcets package installed, but yet getting the error:

(found some certs in a bit different location /opt/local/etc/openssl/certs/)

$ curl -vsSLO https://github.com/Kitware/CMake/releases/download/v3.16.4/cmake-3.16.4.tar.gz --capath /opt/local/etc/openssl/certs/
*   Trying 140.82.118.3...
* TCP_NODELAY set
* Failed to set TCP_KEEPALIVE on fd 4
* Connected to github.com (140.82.118.3) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /opt/local/etc/openssl/certs/
* Curl_http_done: called premature == 0
* Closing connection 0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /opt/local/etc/openssl/certs/

use curl -k ... to bypass the certificate check, but still looking for a solution.

Update: to globally make curl work with --insecure, append a line to curl config file:

echo insecure >> $HOME/.curlrc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants