aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2016-02-25 01:55:38 -0500
committerJay Satiro <raysatiro@yahoo.com>2016-02-25 01:55:38 -0500
commit3ae77f079a4a0ea61013a8bde298db99fa74a1b3 (patch)
treee13d36e95f48d3f4328d9f6f7196d9949c170ccf
parent46bf7996f43a4c47b00dde6d127d50f9faea9dd9 (diff)
configure: warn on invalid ca bundle or path
- Warn if --with-ca-bundle file does not exist. - Warn if --with-ca-path directory does not contain certificates. - Improve help messages for both. Example configure output: ca cert bundle: /some/file (warning: certs not found) ca cert path: /some/dir (warning: certs not found) Bug: https://github.com/curl/curl/issues/404 Reported-by: Jeffrey Walton
-rw-r--r--acinclude.m444
-rw-r--r--configure.ac4
2 files changed, 38 insertions, 10 deletions
diff --git a/acinclude.m4 b/acinclude.m4
index 037c27d7c..4f25ac636 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -2570,7 +2570,8 @@ AC_DEFUN([CURL_CHECK_CA_BUNDLE], [
AC_MSG_CHECKING([default CA cert bundle/path])
AC_ARG_WITH(ca-bundle,
-AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle])
+AC_HELP_STRING([--with-ca-bundle=FILE],
+[Path to a file containing CA certificates (example: /etc/ca-bundle.crt)])
AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),
[
want_ca="$withval"
@@ -2580,7 +2581,11 @@ AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),
],
[ want_ca="unset" ])
AC_ARG_WITH(ca-path,
-AC_HELP_STRING([--with-ca-path=DIRECTORY], [Directory to use as CA path])
+AC_HELP_STRING([--with-ca-path=DIRECTORY],
+[Path to a directory containing CA certificates stored individually, with \
+their filenames in a hash format. This option can be used with OpenSSL, \
+GnuTLS and PolarSSL backends. Refer to OpenSSL c_rehash for details. \
+(example: /etc/certificates)])
AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
[
want_capath="$withval"
@@ -2590,6 +2595,10 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
],
[ want_capath="unset"])
+ ca_warning=" (warning: certs not found)"
+ capath_warning=" (warning: certs not found)"
+ check_capath=""
+
if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \
"x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
dnl both given
@@ -2638,12 +2647,7 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
fi
if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \
"x$OPENSSL_ENABLED" = "x1"; then
- for a in /etc/ssl/certs/; do
- if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then
- capath="$a"
- break
- fi
- done
+ check_capath="/etc/ssl/certs/"
fi
else
dnl no option given and cross-compiling
@@ -2651,6 +2655,30 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
fi
fi
+ if test "x$ca" = "xno" || test -f "$ca"; then
+ ca_warning=""
+ fi
+
+ if test "x$capath" != "xno"; then
+ check_capath="$capath"
+ fi
+
+ if test ! -z "$check_capath"; then
+ for a in "$check_capath"; do
+ if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then
+ if test "x$capath" = "xno"; then
+ capath="$a"
+ fi
+ capath_warning=""
+ break
+ fi
+ done
+ fi
+
+ if test "x$capath" = "xno"; then
+ capath_warning=""
+ fi
+
if test "x$ca" != "xno"; then
CURL_CA_BUNDLE='"'$ca'"'
AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [Location of default ca bundle])
diff --git a/configure.ac b/configure.ac
index b235cdf9a..b208d4d11 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3891,8 +3891,8 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
--libcurl option: ${curl_libcurl_msg}
Verbose errors: ${curl_verbose_msg}
SSPI support: ${curl_sspi_msg}
- ca cert bundle: ${ca}
- ca cert path: ${capath}
+ ca cert bundle: ${ca}${ca_warning}
+ ca cert path: ${capath}${capath_warning}
ca fallback: ${with_ca_fallback}
LDAP support: ${curl_ldap_msg}
LDAPS support: ${curl_ldaps_msg}