Use Mozilla's CA certificate store for libgit2 SSL certificates when compiling on SUSE SLES 11.

[mikhail-j]

Currently, both v0.6.0 and a neutral build on SUSE SLES 11 SP4 does not fail to compile. However, the compiled binaries fail to execute successfully and prints ErrorException("error initializing LibGit2 module") (#18693).

I've tried setting the SSL_CERT_DIR environmental variable when running the julia binary, but the binaries continue to print the same errors.

By default, the SUSE SLES 11 SP4 openssl-certs package does not provide CA certificates in a bundle.

This pull request fixes the lack of a CA certificate bundle on SUSE SLES 11 (#18936 #19556) by packaging the CA certificates bundle from the official curl project website (CA certificates extracted from Mozilla).

---

On a separate note, running make test on julia v0.6.0 in SUSE SLES 11 SP4 encounters an error with libgit2:

Evaluated: "SSL error: ffff8500 - SSL - Processing of the ServerKeyExchange handshake message failed" == "Invalid Content-Type: text/plain"

I fixed this issue by renaming the openssl (openssl v0.9.8j) to openssl0 and symbolically linking openssl to openssl1 (openssl v1.0.1g).

[tkelman]

will this file change over time?

[mikhail-j]

@tkelman The GlobalSign Root CA certificate was added April 7, 2016 in recommended update openssl-certs-2.7-0.6.1.

According to openssl, the expiration date of the certificate should be January 28, 2028:

> openssl x509 -enddate -noout -in /etc/ssl/certs/GlobalSign_Root_CA.pem
notAfter=Jan 28 12:00:00 2028 GMT

The cacert.pem is updated whenever Mozilla changes their certificate store (https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt).

[tkelman]

Is there a versioned url we could download from and checksum verify so it's reproducible?

[mikhail-j]

@tkelman The GlobalSign_Root_CA.pem SSL certificate from openssl-certs can be verified by its
SHA256-Fingerprint
(EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99) under the Common Name or Certificate Name GlobalSign Root CA in CSV format (linked as a list of all root CA certificates Firefox trusts here).

This fingerprint can be checked with:

> openssl x509 -fingerprint -sha256 -noout -in /etc/ssl/certs/GlobalSign_Root_CA.pem
SHA256 Fingerprint=EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99

There does not seem to be a checksum to verify cacert.pem provided by the official curl project website.

[tkelman]

better than nothing, but downloading the checksum from the same site doesn't help with repeatability of the build - is there a versioned source of these?

[mikhail-j]

@tkelman The Mozilla SSL certificate store does not seem to have versions (see certdata.txt).

However, the cacert.pem page provided by the official curl project website hosts older cacert.pem revisions by date (2017-09-20, 2017-06-07, etc).

All revisions of cacert.pem document the date of the converted certdata.txt on the 4th commented line.

This does not mean root CA certificates aren't added or revoked. For example, CNNIC was added to the list of distrusted root CA certificates (see https://arstechnica.com/information-technology/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/) in 2015.

Perhaps you would like the sha256 checksums of the previous cacert.pem revisions?

[mikhail-j]

@tkelman The recent commits changes the requirement of the latest cacert.pem to cacert-2017-09-20.pem.

This file will not change and could be considered a version by date.

[staticfloat]

@mikhail-j this is pretty cool. I will take a closer look over the next couple of days because I want to see if this can instead just be used on all platforms; it seems a shame to have such a nicely put together downloading process used only on one platform when it could benefit them all and hopefully dodge the mess of Makefile rules that search for that file on various systems.

[mikhail-j]

@staticfloat I agree that this CA certificate store provided by Mozilla and the curl project website should be usable on all platforms.

I would prefer downloading the Mozilla SSL certificate store with an encrypted connection in addition to SHA256 checksum verification.

As you mentioned, SSL certificates are stored differently on different Linux operating systems. This can be a problem if we require a SSL/TLS v1.2 connection to download the certificates from the authenticated server.

However, downloading CA certificates without SSL/TLS would be a last resort.

[mikhail-j]

The following commits have been moved to a different branch susecacerts.

I will open a new pull request with an up-to-date branch.