Skip to content

Commit

Permalink
Fix CA certificate chain lookup logic
Browse files Browse the repository at this point in the history
When the values libcurl provides as defaults are broken, they should be
unset or replaced with working ones. Therefore, we now probe them, unset
broken ones and then run our detection logic if the values have not been
set.

This should make sure both values are either set with a seemingly usable
path or unset.

When neither of the values work, we log a warning. Then, the included
locations can be amended, if possible.
  • Loading branch information
TheAssassin committed May 5, 2024
1 parent 5ac830f commit 168afd1
Showing 1 changed file with 24 additions and 9 deletions.
33 changes: 24 additions & 9 deletions src/appimagetool_fetch_runtime.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,9 @@ class GetRequest {
}

void setUpTlsCaChainCompatibility(bool verbose) {
bool foundFile = false;
bool foundDir = false;

// from curl 7.84.0 on, one can query the default values and check if these files or directories exist
// if not, we anyway run the detection
#define querying_supported LIBCURL_VERSION_NUM >= CURL_VERSION_BITS(7, 84, 0)
Expand All @@ -144,7 +147,12 @@ class GetRequest {
if (verbose) {
std::cerr << "libcurl's default CA certificate bundle file " << caInfo << " was found on this system" << std::endl;
}
return;
foundFile = true;
} else {
if (verbose) {
std::cerr << "libcurl's default CA certificate bundle file " << caInfo << " was not found on this system, nulling" << std::endl;
}
setOption(CURLOPT_CAINFO, "");
}
}

Expand All @@ -155,36 +163,43 @@ class GetRequest {
std::cerr << "libcurl's default CA certificate bundle directory " << caPath
<< " was found on this system" << std::endl;
}
return;
foundDir = true;
} else {
if (verbose) {
std::cerr << "libcurl's default CA certificate bundle directory " << caPath << " was not found on this system, nulling" << std::endl;
}
setOption(CURLOPT_CAPATH, "");
}
}
#else
#warning "libcurl version too old, not trying to use default values for system-provided CA certificate bundles"
#endif

{
if (!foundFile) {
const auto chainFile = findCaBundleFile();
if (!chainFile.empty()) {
if (verbose) {
std::cerr << "Using CA bundle file in " << chainFile << std::endl;
}
setOption(CURLOPT_CAINFO, chainFile.c_str());
return;
}
foundFile = true;
}

{
if (!foundDir) {
const auto chainDir = findCaBundleDirectory();
if (!chainDir.empty()) {
if (verbose) {
std::cerr << "Using CA bundle file in " << chainDir << std::endl;
std::cerr << "Using CA bundle dir in " << chainDir << std::endl;
}
setOption(CURLOPT_CAINFO, chainDir.c_str());
return;
setOption(CURLOPT_CAPATH, chainDir.c_str());
}
foundDir = true;
}

std::cerr << "Warning: could not find valid CA chain bundle, HTTPS requests will likely fail" << std::endl;
if (!foundFile && !foundDir) {
std::cerr << "Warning: could not find valid CA chain bundle, HTTPS requests will likely fail" << std::endl;
}
}

public:
Expand Down

0 comments on commit 168afd1

Please sign in to comment.