[DRE-maint] Bug#911259: ruby-httpclient: Please use the system ca-certificates instead of bundling one
Vincent Tondellier
tonton+dbug at team1664.org
Wed Oct 17 19:05:19 BST 2018
Package: ruby-httpclient
Version: 2.8.3-1
Severity: normal
Dear Maintainer,
ruby-httpclient bundles a copy of the root certificate authorities:
$ dpkg -L ruby-httpclient | grep pem
/usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
/usr/lib/ruby/vendor_ruby/httpclient/cacert1024.pem
...
Thus, the local CAs configured by the local system administrator (by adding
a .crt file in /usr/local/share/ca-certificates/) are ignored, the
explicitly
untrusted CAs are still valid, etc ...
Test (with ca-cacert installed):
$ ruby -rhttpclient -e 'p HTTPClient.get("https://www.cacert.org")'
...
/usr/lib/ruby/vendor_ruby/httpclient/ssl_socket.rb:103:in `connect':
SSL_connect returned=1 errno=0 state=error: certificate verify failed
(unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
Expected:
$ curl https://www.cacert.org
<!DOCTYPE ...
...
</html>
Please find attached a debdiff to use the system CA bundle instead.
Some comments:
- the file "cacert1024.pem" is not used by the code: removed
- the ca-certificates package is already pulled by rubygems-integration,
but a direct dependency may be better
Thanks.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ruby-httpclient depends on:
ii ruby 1:2.5.1
ii ruby-http-cookie 1.0.2-1
ii ruby2.1 [ruby-interpreter] 2.1.5-4
ii ruby2.2 [ruby-interpreter] 2.2.4-1
ruby-httpclient recommends no packages.
ruby-httpclient suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-httpclient-unbundle-ca.patch
Type: text/x-patch
Size: 1433 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20181017/45fe7fe7/attachment.bin>
More information about the Pkg-ruby-extras-maintainers
mailing list