2379900 – Moving of off /etc/pki/tls/certs/ca-bundle.crt

Bug 2379900 - Moving of off /etc/pki/tls/certs/ca-bundle.crt

Summary: Moving of off /etc/pki/tls/certs/ca-bundle.crt

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	lynx
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukáš Zaoral
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2377135
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-14 12:28 UTC by Frantisek Krenzelok
Modified:	2025-07-22 12:30 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:	2378955
Environment:
Last Closed:	2025-07-21 12:25:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Frantisek Krenzelok 2025-07-14 12:28:53 UTC

Hello in anticipation of https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile fedora change proposal, which is taking effect during the fedora rawhide mass rebuild (starting 23th of July), we would like you to validate this and if applicable, consider using the `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` instead of the `/etc/ssl/certs/ca-certificates.crt` certificate bundle which was found in the source-code.

```
./lynx-2.9.2-build/lynx2.9.2/lynx.cfg:3606:#SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt
```

Comment 1 Lukáš Zaoral 2025-07-17 08:20:27 UTC

Hello!
The highlighted line is a commented-out example suggestion in the default lynx.cfg.  Therefore, there is nothing blocking the mass rebuild since the value is not used.  I can change the example value to point to the new location, if needed:

> .h2 SSL_CERT_FILE
> # Set SSL_CERT_FILE to the file that contains all valid CA certificates lynx
> # should accept, in case the $SSL_CERT_FILE environment variable is not set,
> # e.g.,
> #
> #SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt
> #SSL_CERT_FILE:NULL

Regards,
Lukas

Comment 2 Thomas E. Dickey 2025-07-17 19:39:19 UTC

That's not simply a suggested value,
but is the compiled-in default,
which the "drop" change is going to break.

> # As a documentation aid, the default values for each setting are shown
> # commented-out.  By convention, these default value comments have no space
> # after the "#", e.g.,
> #	#HTTP_PROTOCOL:1.0

(see https://github.com/ThomasDickey/lynx-snapshots/blob/49180d7dd0ef98c0774db7e5f9b2046d02ac7057/lynx.cfg#L28C1-L32C1)

Comment 3 Thomas E. Dickey 2025-07-17 20:21:54 UTC

I missed a detail: the compiled-in default is the last line

> #SSL_CERT_FILE:NULL

(and I don't see that adjusted in the rpm build options)
so aside from users who have followed the suggestion,
there would be no impact on the package itself.

Comment 4 Lukáš Zaoral 2025-07-21 12:19:06 UTC

Thank you for pointing that, Thomas!  I completely missed that.

I've checked the sources for the use of the SSL_CERT_FILE macro and the associated SSL_cert_file variable
and it seems that it is only used to set the certfile variable if GnuTLS is used [1,2] but this Fedora
package uses OpenSSL.  Instead, lynx calls SSL_CTX_set_default_verify_paths to use OpenSSL's default location
with CA certificates.

[1] https://github.com/ThomasDickey/lynx-snapshots/blob/49180d7dd0ef98c0774db7e5f9b2046d02ac7057/WWW/Library/Implementation/HTTP.c#L244-L250
[2] https://github.com/ThomasDickey/lynx-snapshots/blob/49180d7dd0ef98c0774db7e5f9b2046d02ac7057/WWW/Library/Implementation/HTTP.c#L280-L295

strace shows that OpenSSL uses /etc/pki/tls/cert.pem by default which is also problematic according to the change proposal.
However, if I remove all problematic files listed in the proposal in my F42 test VM, OpenSSL will still load the correct certificate
and lynx is still able load web pages over HTTPS:

# strace -e trace=open,openat,openat2 -o out.log lynx https://www.google.com
...
# cat out.log
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libbrotlidec.so.1", O_RDONLY|O_CLOEXEC) = 3
...
openat(AT_FDCWD, "/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 4
openat(AT_FDCWD, "/etc/pki/tls/openssl.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5
openat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY) = 5
openat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY) = 4
openat(AT_FDCWD, "/etc/pki/tls/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)         <-- fails!
openat(AT_FDCWD, "/etc/pki/tls/certs", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/pki/tls/certs/a3418fda.0", O_RDONLY) = 4                                     <-- correct cert found     
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
+++ exited with 0 +++

And lynx's builtin trace function confirms that as well:

# lynx -trace https://www.google.com
# cat Lynx.trace
...
HTParse:      result:`www.google.com'
...called SSL_set_tlsext_host_name(www.google.com) ->1
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0
Validating CNs in '/CN=www.google.com'
Matching
        ssl_host  'www.google.com'
        cert_host 'www.google.com'
Verified connection to www.google.com (cert=www.google.com)
Certificate issued by: /C=US/O=Google Trust Services/CN=WE2
Secure 256-bit TLSv1.3 (TLS_AES_256_GCM_SHA384) HTTP connection
...

Therefore, I'd say that lynx is not affected by this change.

Comment 5 Frantisek Krenzelok 2025-07-21 12:25:34 UTC

Thanks you! Lukáš and Thomas, for the investigation.

As lynx uses OpenSSL defaults ^^^, this is indeed not an issue, closing.

Note You need to log in before you can comment on or make changes to this bug.