steam-runtime icon indicating copy to clipboard operation
steam-runtime copied to clipboard
verified publisher icon ValveSoftware

libcurl only searches in debian location for certificate bundle

Open mdiluz opened this issue 9 years ago • 3 comments

It appears the steam runtime's libcurl by default tries to use /etc/ssl/certs/ca-certificates.crt on all distros. This string can be checked by the following:

.../steam-runtime/amd64/usr/lib/x86_64-linux-gnu $ strings libcurl* | grep "\.crt"
/etc/ssl/certs/ca-certificates.crt

This is a problem on non-Debian based distributions where users can experience certification failures, which are caused by the runtime (targeting Ubuntu 12.04) only searching the Debian cert location.

With source access to whichever system is using curl there is a workaround by setting the CURLOPT_CAINFO option to the correct path based on the system, do the following:

// Search for whichever of these exist
"/etc/ssl/certs/ca-certificates.crt" // Debian/Ubuntu
"/etc/pki/tls/certs/ca-bundle.crt" // Fedora/RHEL
"/var/lib/ca-certificates/ca-bundle.pem" // OpenSUSE 
// Or escape the steam runtime and call `curl-config --ca` to grab the location.

// Set CAINFO in curl
curl_easy_setopt( _easy , CURLOPT_CAINFO, path_to_cert );
// For openssl use
SSL_CTX_load_verify_locations( ... )

Locally on a system a user can place a symlink in the right location, but that may affect system stability and would be better to be avoided.

Unfortunately even developers don't always have direct access to the source that is using curl/openssl, so aren't able to workaround the issue as above. Would it be possible to modify the steam runtime to work out of the box on differing distros?

More info on this confusing issue can be found here: https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

mdiluz avatar Apr 13 '16 08:04 mdiluz

@smcv I feel like we fixed this already? (in the last 2-3 months I think)

TTimo avatar May 18 '19 23:05 TTimo

@smcv I feel like we fixed this already? (in the last 2-3 months I think)

No, we fixed the Runtime's OpenSSL crashing if the host has a /etc/ssl/openssl.cnf that is not understood by the Runtime's OpenSSL version.

Possible solutions:

  • ship an up-to-date Mozilla CA bundle (Debian's ca-certificates package) in the Steam Runtime, and modify the Runtime's libraries to respect $STEAM_RUNTIME if set
  • make the Runtime's libraries try multiple locations by default, and assume the host system has at least one of them

I say "libraries" because it isn't clear which libraries need to be modified. Depending on the SSL library's API, we might need to modify SSL implementations (OpenSSL and GNUTLS), or we might need to modify SSL library users like libcurl and wget, or even (in the worst case) both.

smcv avatar Jun 03 '19 14:06 smcv

I just hit this bug when playing Warfork.

To work around it, I am using STEAM_RUNTIME_PREFER_HOST_LIBRARIES=0 steam.

tgharib avatar Aug 17 '19 06:08 tgharib