Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in ca-certificates disabled

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Sep 6 12:40:16 CEST 2011

On 09/06/2011 12:16 PM, Simon Josefsson wrote:

>>>> | $ ls -l /etc/ssl/certs/ca-certificates.crt
>>>> | -rw-r--r-- 1 root root 0 Sep  2 00:07 /etc/ssl/certs/ca-certificates.crt
>>>> This is probably a libgnutls bug, but since I haven't pinned it down
>>>> I'm filing it here.  Known problem?
>>> I recall similar problems when I also disabled all CAs on my machine
>>> long time ago.  I suspect some software may be checking the return
>>> code from the CA loading function, and will treat loading of 0
>>> certificates as an error. Please try to track down the code that
>>> triggers the error message to test this theory.
>> I believe it isn't that simple. I think the code that returns the
>> error in this case can be found here:
>>     https://github.com/bagder/curl/blob/master/lib/gtls.c#L377
>> ... and it clearly checks for a negative return value for it to be an error.
> Thanks for the pointer -- I managed to track it down, and installed a
> patch for it:
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=ab782d356200f44736edb687304d5e90438e2185

This is tricky. How do you distinguish bad pem encoding from zero 
certificates? In any case I think that gnutls_x509_crt_list_import() 
should fail on such error, since it was always like that. The fix should 
be in gnutls_certificate_set_x509_trust_mem() and friends. I'll try to 
check it out.


More information about the Gnutls-devel mailing list