Fixed
Created: Jun 21, 2017
Updated: Sep 8, 2018
Resolved Date: Jul 23, 2017
Found In Version: 7.0.0.24
Fix Version: 7.0.0.26
Severity: Standard
Applicable for: Wind River Linux 7
Component/s: Userspace
On WRLinux 7/IDP, when using curl to verify server certificate from staging HDC (https://stgsmrrc1-rlogin.novanp.adsdcsp.com), the verification will fail.
(Since HDC agent is using libcurl for file transfer, it will fail for the same reason. Using curl command is just an easy way to reproduce the issue though)
The following is the command and the output:
root@WR-LX-F620:~# curl -v -X GET https://stgsmrrc1-rlogin.novanp.adsdcsp.com
* Rebuilt URL to: https://stgsmrrc1-rlogin.novanp.adsdcsp.com/
* Hostname was NOT found in DNS cache
* Trying 54.208.0.66...
* Connected to stgsmrrc1-rlogin.novanp.adsdcsp.com (54.208.0.66) port 443 (#0)
* found 169 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
The issue can be solved by:
- update gnutls (curl is built with gnutls by default) from 3.3.5 to 3.3.17 (same version as in WRLinux 8)
- update CA root certificate bundle in /etc/ssl/cert/ca-certificates.crt (it doesn't contains the root certificate that signed the server certificate from HDC)
Another way to fix this is to build curl with Openssl:
- change curl recipe to build it with ssl
PACKAGECONFIG = "${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)} ssl zlib"
The second fix works for WRLinux 7, but IDP build will fail, since IDP disabled DES in openssl, but curl NTLM include des.h and the checking in des.h fails the compile.
On a WRLinux7/IDP system, issue the curl GET command on staging HDC, the server verification will fail as described in "Description" section.
