curl in Fedora recently changed its default CA trust store. The
Fedora package no longer specifies an OpenSSL-format bundle file
during build, and curl itself has been patched to use an NSS
plugin called libnssckbi.so when no bundle file or directory is
specified. There are (at present) two possible providers of the
libnssckbi.so module: the original NSS implementation, which
uses a trust bundle built in at build time, and a compatible
implementation from the p11-kit project, which reads a trust
bundle at run time. So if we find a string in libcurl.so that
suggests libnssckbi might be in use, we must both install it and
make an effort to install any trust bundle files it may use.
The p11-kit libnssckbi implementation does include a string that
lists the top-level trust directories it will use, so we try to
find that string, though the best effort I can come up with will
also find many false positives too. To weed out the false
positives, we check whether the matches actually exist as dirs,
and if so, whether they contain some specific subdirectories we
know p11-kit trust dirs must have (thanks, @kaie). For the NSS
libnssckbi implementation, we will likely wind up not finding any
dirs that match the requirements, so we will simply install the
libnssckbi.so file itself, which is the correct action.
This fixes TLS transactions in the initramfs environment when
using a curl that's built this new way; it's significant for
use of kickstarts and update images with the Fedora / RHEL
installer, as these are retrieved in the initramfs environment,
and are frequently retrieved via HTTPS.
Adam Williamson
892b1fe6b7