FS#50076 - [archboot] Missing ca-certificates bundle
Attached to Project:
Arch Linux
Opened by Alif (alive4ever) - Sunday, 17 July 2016, 09:59 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 26 August 2016, 19:49 GMT
Opened by Alif (alive4ever) - Sunday, 17 July 2016, 09:59 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 26 August 2016, 19:49 GMT
|
Details
Description:
archboot iso includes links web browser to browse the web in text mode. However, this is insecure, because the browser doesn't know a set of trusted ca-certificates, so that it always ask for approval when visiting https websites. There should be an additional initcpio hooks to install ca-bundle so that links will have a set of trusted root certificates. The ca bundle should be placed on /etc/ssl/cert.pem. It may be necessary to add ca-certificates as archboot dependency. Additional info: * package version(s): archboot 2016-05 * config and/or log files etc. Steps to reproduce: Download archboot iso (or build your own archboot iso using default config) Boot the iso. When the iso boots, press enter and exit the installer. In the command line prompt, type 'links' to launch the browser. Open any https website (shortcut g), for example https://wiki.archlinux.org An annoying untrusted certificate prompt will be displayed because archboot lacks trusted ca bundle. |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Friday, 26 August 2016, 19:49 GMT
Reason for closing: Fixed
Additional comments about closing: on trunk in arch_base
Friday, 26 August 2016, 19:49 GMT
Reason for closing: Fixed
Additional comments about closing: on trunk in arch_base
Comment by Alif (alive4ever) -
Sunday, 17 July 2016, 10:44 GMT
Comment by Alif (alive4ever) -
Sunday, 17 July 2016, 10:50 GMT
Comment by Alif (alive4ever) -
Sunday, 17 July 2016, 13:34 GMT
This is a simple ca-certificate hook to symlink /etc/ssl/cert.pem
to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
Lacking a trusted CA bundle also causes downloader app such as
curl, wget, and pacman to throw an error when interacting with
https server.
The above initcpio patch isn't complete. Here is a revised patch
to also symlink /etc/ca-certificates/extracted/tls-ca-bundle.pem
to /etc/ssl/certs/ca-certificates.crt so that curl won't complain
about missing certificate.