Specifying CA certificates for libdebuginfod

Magne Hov mhov@undo.io
Fri May 28 17:36:17 GMT 2021


I am posting here to continue a discussion from the #elfutils
libera.chat channel about whether libdebuginfod might benefit from
having a method of specifying a certificate bundle for libcurl.

Normally one would rely on the system's OpenSSL having been configured
with up-to-date certificates. However in my use-case I can't depend on
up-to-date certificates being installed on the system that I work with,
so I package certificates together with my application (which contains
libdebuginfod and its dependencies as a portable package).

Other components that my application uses already have ways of
specifying a certificate bundle. The curl tool supports custom
certificates with the CURL_CA_BUNDLE environment variable, but with
libcurl one must specify a custom certificate bundle with the
CURLOPT_CAINFO option via the API. I propose a new environment variable
DEBUGINFOD_CA_BUNDLE or similar which can be used to pass to libcurl.
Please see the attached patch below.

There is also an option of recognising CURL_CA_BUNDLE as that
environment variable is already established by the curl tool, but it
could also be good to keep the name separate to libdebuginfod.

I think having the option of specifying certificates could also be
helpful for other situations such as specifying a self-signed
certificate to use with servers under test.

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-libdebuginfod-specify-client-CA-bundle-with-DEBUGINF.patch
Type: text/x-diff
Size: 1629 bytes
Desc: patch
URL: <https://sourceware.org/pipermail/elfutils-devel/attachments/20210528/30f569b3/attachment.bin>

More information about the Elfutils-devel mailing list