summaryrefslogtreecommitdiff
path: root/desktop
diff options
context:
space:
mode:
authorMichael Stahl <michael.stahl@allotropia.de>2023-11-03 20:16:09 +0100
committerMichael Stahl <michael.stahl@allotropia.de>2023-11-07 14:26:38 +0100
commit11f439b861922b9286b2e47ed326f3508a48d44e (patch)
treea12a36e77d2d2e9faaf4e06a1374607299fa7e16 /desktop
parent6313e83a6f03540c1256e1e433cdf81b0913ff82 (diff)
curl: mitigate migration to OpenSSL on Linux
The problem is that curl 8.3.0 removed the NSS backend, so we now have no other choice than to use the bundled OpenSSL on Linux. Currently any curl https connection fails with: CurlSession.cxx:963: curl_easy_perform failed: (60) SSL certificate problem: unable to get local issuer certificate Apparently this requires manually telling curl which CA certificates to trust; there is a configure flag --with-ca-bundle but that is useless as it tries to load the file relative to whatever is the current working directory, and also did i mention that there are at least 3 different locations where a Linux system may store its system trusted CA certificates because ALL ABOUT CHOICE. So add a new header with an init function to try out various file locations listed in this nice blog article and call it from way too many places that independently use curl. https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ TODO: perhaps bundle a cacert.pem as a fallback in case the system chose to innovate by putting its certificates in yet another unexpected place (regression from commit c2930ebff82c4f7ffe8377ab82627131f8544226) Change-Id: Ibf1cc0069bc2ae011ecead9a4c2b455e94b01241 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158915 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'desktop')
-rw-r--r--desktop/source/app/updater.cxx4
-rw-r--r--desktop/source/minidump/minidump.cxx4
2 files changed, 8 insertions, 0 deletions
diff --git a/desktop/source/app/updater.cxx b/desktop/source/app/updater.cxx
index 92f060b976e2..7ff6234b4555 100644
--- a/desktop/source/app/updater.cxx
+++ b/desktop/source/app/updater.cxx
@@ -37,6 +37,8 @@
#include <orcus/json_document_tree.hpp>
#include <orcus/config.hpp>
#include <orcus/pstring.hpp>
+
+#include <curlinit.hxx>
#include <comphelper/hash.hxx>
#include <com/sun/star/container/XNameAccess.hpp>
@@ -546,6 +548,8 @@ std::string download_content(const OString& rURL, bool bFile, OUString& rHash)
if (!curl)
return std::string();
+ ::InitCurl_easy(curl.get());
+
curl_easy_setopt(curl.get(), CURLOPT_URL, rURL.getStr());
curl_easy_setopt(curl.get(), CURLOPT_USERAGENT, kUserAgent);
bool bUseProxy = false;
diff --git a/desktop/source/minidump/minidump.cxx b/desktop/source/minidump/minidump.cxx
index 0bf20f2aa419..7fbb0884987d 100644
--- a/desktop/source/minidump/minidump.cxx
+++ b/desktop/source/minidump/minidump.cxx
@@ -17,6 +17,8 @@
#include <curl/curl.h>
+#include <curlinit.hxx>
+
#ifdef _WIN32
#include <memory>
#include <windows.h>
@@ -95,6 +97,8 @@ static bool uploadContent(std::map<std::string, std::string>& parameters, std::s
if (!curl)
return false;
+ ::InitCurl_easy(curl);
+
std::string proxy, proxy_user_pwd, ca_certificate_file, file, url, version;
getProperty("Proxy", proxy, parameters);