kicad-developers team mailing list archive

[Mark Roszko <mark.roszko@xxxxxxxxx>]

@jp, your setup sounds fine then. It's probably just your CMAKE_INSTALL_PREFIX

I make it isntall inside mingw64 so all the kicad bins end up in:
D:\msys64\mingw64\bin

the means it can easily find the certs in
D:\msys64\mingw64\ssl\certs

the ca-certificates package does create taht ssl\certs folder there ^.


If you use a different CMAKE_INSTALL_PREFIX then it may get funny. But
this is not a problem or fault of the setup, rather a little extra
work for the person doing things manually. There is no reason to set
curl_easy_setopt.

We will be completely fine, we do not need the curl_easy_setopt as our
distribution will just have the ssl\certs folder copied like all the
other msys2 files we copy.




>Clearly, *if* avhttp uses certificates, it uses a more easy way for
>users to find them."

Hahah I was wrong, avhttp was a bit annoying to follow.

on init it calls
>m_context.set_verify_mode(boost::asio::ssl::context::verify_none, ec);

which calls the openssl function to disable verification

later, the avhttp m_check_certificates calls
>ssl_sock->set_verify_callback(boost::asio::ssl::rfc2818_verification(m_url.host()), ec);

which then calls
>::SSL_CTX_set_verify(handle_,
::SSL_CTX_get_verify_mode(handle_),
&context::verify_callback_function);

which effectively tells it not to verify(reuses the previously set
verify none mode)
 but call the boost verification.

The boost verification only does a primitive hostname to certificate
verification (which is honestly useless).

So in summary, avhttp doesn't actually verify the legitimacy of certificates.
Because otherwise avhttp won't work on windows as we don't package the
ca-bundle that openssl will want.



So we could turn off VERIFY_PEER to match avhttp but I'm sure many
people will be against that.