--capath not supported by libcurl with mbedTLS support

Borromini · January 12, 2017, 9:24pm

I am running into this weird error with my ar71xx builds:

Warning: ignoring --capath, not supported by libcurl
curl: (48) Error

This is since the switch from PolarSSL to mbedTLS. The full curl command is:

curl -# --capath /etc/ssl/certs/ --retry 3 "$URL/targets/$ARCH/$SUBTARGET/sha256sums" -o /tmp/sha256sums

Curl config:

$ ./scripts/diffconfig.sh |grep -i curl
CONFIG_LIBCURL_COOKIES=y
CONFIG_LIBCURL_FILE=y
CONFIG_LIBCURL_HTTP=y
CONFIG_LIBCURL_MBEDTLS=y
CONFIG_LIBCURL_NO_SMB="!"
CONFIG_PACKAGE_curl=y
CONFIG_PACKAGE_libcurl=y
# CONFIG_LIBCURL_FTP is not set    
# CONFIG_LIBCURL_PROXY is not set

Libustream-mbedtls is installed.

diizzy · January 12, 2017, 9:51pm

"(TLS) Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with ":" (e.g. "path1:path2:path3"). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. "

https://curl.haxx.se/docs/manpage.html

Borromini · January 13, 2017, 7:30am

It's not built against OpenSSL. It's built against mbedTLS.

And like I said, it worked perfectly before with PolarSSL.

diizzy · January 13, 2017, 8:23am

It's an unsupported feature using mbed TLS.

Borromini · January 13, 2017, 1:10pm

OK... Yet it did work with PolarSSL. Sounds like a regression to me. Or did mbedTLS purposely drop some features when moving from their 'old' to their 'new' version?

Borromini · January 13, 2017, 10:37pm

So, while it seems --capath does not work anymore with mbedTLS, it looks like pointing cURL to the specific certificate to check against (with --cacert) works fine.

Problem worked around

velvet · January 21, 2017, 2:05am

Is there another way to make this work? I would like to continue using the --capath flag.

nemesis · March 1, 2017, 4:31pm

Hi velvet,

we are experiencing the same issue in openwisp-config, which makes use of the --capath flag.

To fix this, curl must be compiled with openssl (maybe gnutls also works but I haven't tested this).

CONFIG_LIBCURL_OPENSSL=y

I am also wondering why this behaviour was changed and if it can be reverted or made backward compatible.

nemesis · March 16, 2017, 3:40pm

I found a workaround that seems to work and maintain backward compatibility with older OpenWRT versions:
https://github.com/openwisp/openwisp-config/commit/5c4f214946ce713d6e7e6ecf2f0479b8d21ed484

If you are not worried about older openwrt versions, you can install the ca-bundle package.

I hope is not too heretic.