[oe] SSL crypto broken in Daisy?

Thu Sep 18 12:41:59 UTC 2014

Hi Zoltán,

On Thursday 18 September 2014 14:36:16 Boszormenyi Zoltan wrote:
> I have built systemd-gnome-image from Daisy-based Angström using
> instructions from
> 
> http://wp.angstrom-distribution.org/?page_id=53
> 
> The set of layers include "meta-intel" and I use the "genericx86" CPU.
> 
> The image I have has curl installed and whenever I want to use an https://
> URL from the internal LAN it fails with:
> 
> ========================================
> curl: (35) gnutls_handshake() failed: Handshake failed
> ========================================
> 
> The same happens with and without option "-k" (or "--insecure") to curl.
> 
> The webserver's cert is not actually right, as I get this when I use curl
> from Fedora 19, 20 or 21Alpha:
> 
> ========================================
> curl: (60) Peer's Certificate issuer is not recognized.
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). If the default
>  bundle file isn't adequate, you can specify an alternate file
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.
> ========================================
> 
> But using "curl -k" with the same URL from the *Fedora client* fetches the
> data properly.
> 
> Is this problem already known in Daisy or Daisy-based Angström?

Hmm, this sounds like it might be related to the following bug:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=6708

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre