[X2Go-Commits] [buildscripts] 02/02: bin/slave-start-prepare.sh: fix connecting on older systems by bundling our own CA bundle.

git-admin at x2go.org git-admin at x2go.org
Sat Nov 27 05:20:46 CET 2021


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository buildscripts.

commit 7358c95811ec907670d0145ee9abfcba27a6ca48
Author: Mihai Moldovan <ionic at ionic.de>
Date:   Sat Nov 27 05:20:34 2021 +0100

    bin/slave-start-prepare.sh: fix connecting on older systems by bundling our own CA bundle.
---
 bin/slave-start-prepare.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh
index 6cb94aa..ea3e5c9 100755
--- a/bin/slave-start-prepare.sh
+++ b/bin/slave-start-prepare.sh
@@ -66,6 +66,10 @@ rm -f -- "slave.jar"
 # This is okay, since curl still checks for the pubkey hash and aborts the
 # connection if the server's pubkey hash doesn't match the pinned one, even
 # when calling it with the --insecure parameter.
-curl -R --pinnedpubkey "${ssl_hash}" -JO "https://${host}/jnlpJars/slave.jar"
+
+# New issue: the CA certificates shipped with on older machines might include
+# expired ones. Bundle our own version (directly from upstream curl) and make
+# sure to override the system CA path to not pick up the expired ones.
+curl -R --pinnedpubkey "${ssl_hash}" --cacert "${HOME}/buildscripts/contrib/cacert-2021-10-26.pem" --capath '/dev/null' -JO "https://${host}/jnlpJars/slave.jar"
 
 exec java -jar "slave.jar"

--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/buildscripts.git


More information about the x2go-commits mailing list