From 874f06e29c5172822990a20ea6f8bd48e706270b Mon Sep 17 00:00:00 2001 From: Thomas Madlener Date: Fri, 29 Oct 2021 16:55:48 +0200 Subject: curl: fix mbedtls versions and certs config (#26877) Co-authored-by: Harmen Stoppels --- var/spack/repos/builtin/packages/curl/package.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/var/spack/repos/builtin/packages/curl/package.py b/var/spack/repos/builtin/packages/curl/package.py index 6781454ef0..198d3b29ad 100644 --- a/var/spack/repos/builtin/packages/curl/package.py +++ b/var/spack/repos/builtin/packages/curl/package.py @@ -87,7 +87,8 @@ class Curl(AutotoolsPackage): conflicts('tls=mbedtls', when='@:7.45') depends_on('gnutls', when='tls=gnutls') - depends_on('mbedtls', when='tls=mbedtls') + depends_on('mbedtls@3:', when='@7.79: tls=mbedtls') + depends_on('mbedtls@:2', when='@:7.78 tls=mbedtls') depends_on('nss', when='tls=nss') depends_on('openssl', when='tls=openssl') depends_on('libidn2', when='+libidn2') @@ -111,11 +112,17 @@ class Curl(AutotoolsPackage): '--without-libgsasl', '--without-libpsl', '--without-zstd', - '--without-ca-bundle', - '--without-ca-path', - '--with-ca-fallback', ] + # Make gnutls / openssl decide what certs are trusted. + # TODO: certs for other tls options. + if spec.satisfies('tls=gnutls') or spec.satisfies('tls=openssl'): + args.extend([ + '--without-ca-bundle', + '--without-ca-path', + '--with-ca-fallback', + ]) + # https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ # We always disable it explicitly, but the flag is gone in newer # versions. @@ -134,6 +141,7 @@ class Curl(AutotoolsPackage): args += self.with_or_without('libssh2') args += self.with_or_without('libssh') args += self.enable_or_disable('ldap') + return args def with_or_without_gnutls(self, activated): -- cgit v1.2.3-70-g09d2