Search SSL_CERT_FILE before SSL_CERT_DIR

[visr]

This aligns better with the behavior of openssl.
This should fix the issue of Windows users starting julia from a conda environment running into Pkg issues.
Fixes JuliaLang/Downloads.jl#244
See JuliaLang/Downloads.jl#244 (comment).

[visr]

This shows it in action:

pixi run a:/repo/julia/usr/bin/julia.exe

# these were set by the openssl conda activation scripts
julia> ENV["SSL_CERT_FILE"]
"D:\\temp\\asd\\.pixi\\envs\\default\\Library\\ssl\\cacert.pem"

julia> ENV["SSL_CERT_DIR"]
"D:\\temp\\asd\\.pixi\\envs\\default\\Library\\ssl\\certs"

julia> using NetworkOptions: CA_ROOTS_VARS, ca_roots

# order has changed
julia> CA_ROOTS_VARS
3-element Vector{String}:
 "JULIA_SSL_CA_ROOTS_PATH"
 "SSL_CERT_FILE"
 "SSL_CERT_DIR"

# this now returns the SSL_CERT_FILE instead of the SSL_CERT_DIR, as intended
julia> ca_roots()
"D:\\temp\\asd\\.pixi\\envs\\default\\Library\\ssl\\cacert.pem"

# this no longer logs errors, indicating this indeed fixes https://github.com/JuliaLang/Downloads.jl/issues/244
(@v1.12) pkg> registry up
    Updating registry at `a:\.julia\registries\General.toml`

(@v1.12) pkg> dev Example
     Cloning git-repo `https://github.com/JuliaLang/Example.jl.git`
ERROR: failed to clone from https://github.com/JuliaLang/Example.jl.git, error: GitError(Code:ERROR, Class:SSL, Your Julia is built with a SSL/TLS engine that libgit2 doesn't know how to configure to use a file or directory of certificate authority roots, but your environment specifies one via the SSL_CERT_DIR variable. If you believe your system's root certificates are safe to use, you can `export JULIA_SSL_CA_ROOTS_PATH=""` in your environment to use those instead.)

Unfortunately the latter still fails, now blaming SSL_CERT_DIR since it is last, even though it now tried to set SSL_CERT_FILE. The error comes from here. I guess "TLS backend doesn't support certificate locations" means either a cert_file or cert_dir. Reading the error I assumed this just wasn't supported for MbedTLS, but the code seems to me like a build flag need to be set: https://github.com/libgit2/libgit2/blob/4dcdb64c6844d76776745cdc25071a72c1af84d6/src/libgit2/settings.c#L206-L222. Would it make sense to enable that with JuliaLang/julia#56708?

In any case, this last point should perhaps be a LibGit2.jl issue, IMO this is good to go.

EDIT: the last error will be fixed with JuliaLang/julia#56924

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.81%. Comparing base (8eec5cb) to head (65eacbd).
Report is 5 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master      #37      +/-   ##
==========================================
- Coverage   95.55%   94.81%   -0.75%     
==========================================
  Files           4        4              
  Lines         135      135              
==========================================
- Hits          129      128       -1     
- Misses          6        7       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[visr]

Bump :)

[DilumAluthge]

I don't think I have the necessary knowledge to review this PR, but I can try to find someone to review it.

[aviks]

This looks reasonable to me, primarily as a small change that should not have too many unintended consequences. My main question would be how firm and settled this behavior (file before dir) is (the docs seem a bit vague) but folks seem to be depending on it, so 🤷

[visr]

Thanks @aviks! I should have linked to this, here in the OpenSSL docs it is mentioned explicitly:

When looking up CA certificates for chain building, the OpenSSL library will search for suitable certificates first in CAfile, then in CApath.

https://docs.openssl.org/3.0/man3/SSL_CTX_load_verify_locations/#notes

Hence I consider this essentially a bugfix, hoping it can be backported.

[visr]

Could this be merged?

[AquaPore]

Thanks Kristoffer,

I am getting the same error which is not resolved:

What will be your recommendations?

Kind regards,
Joseph

(@v1.11) pkg> update
┌ Error: curl_easy_setopt: 4
└ @ Downloads.Curl C:\Users\joseph.pollacco\.julia\juliaup\julia-1.11.5+0.x64.w64.mingw32\share\julia\stdlib\v1.11\Downloads\src\Curl\utils.jl:50
    Updating registry at `C:\Users\jpollacco.local\.julia\registries\General.toml`
┌ Error: curl_easy_setopt: 4
└ @ Downloads.Curl C:\Users\joseph.pollacco\.julia\juliaup\julia-1.11.5+0.x64.w64.mingw32\share\julia\stdlib\v1.11\Downloads\src\Curl\utils.jl:50
  No Changes to `C:\Users\jpollacco.local\.julia\environments\v1.11\Project.toml`

using Libdl
filter!(contains("curl"), dllist())

julia> filter!(contains("curl"), dllist())
1-element Vector{String}:
 "C:\\Users\\joseph.pollacco\\.julia" ⋯ 26 bytes ⋯ "4.w64.mingw32\\bin\\libcurl-4.dll"

[visr]

This fix isn't backported and also not on main, because the last time the NetworkOptions stdlib was bumped was JuliaLang/julia#56949, which was before this commit. It would be nice if it could be bumped on main and 1.12. This should be safe to backport on any version, I cannot speak for the previous commit #36 though, possibly that needs to be 1.12+. #39 also requires 1.12+.

You can see you don't have this commit because DIR is before FILE here:

julia> using NetworkOptions: CA_ROOTS_VARS; CA_ROOTS_VARS
3-element Vector{String}:
 "JULIA_SSL_CA_ROOTS_PATH"
 "SSL_CERT_DIR"
 "SSL_CERT_FILE"

[AquaPore]

Correct I get the same outputs:

sing NetworkOptions: CA_ROOTS_VARS; CA_ROOTS_VARS
3-element Vector{String}:
 "JULIA_SSL_CA_ROOTS_PATH"
 "SSL_CERT_DIR"
 "SSL_CERT_FILE"