mirrors/blender
1
0
Fork 0
mirror of https://projects.blender.org/blender/blender.git synced 2025-01-22 07:22:12 -05:00
Code Issues Projects Releases Packages Wiki Activity

Build: prevent OpenSSL using /etc/ssl on macOS & Linux

Browse source 
Using /etc/ssl only makes sense when the versions of SSL on the system
is compatible with the version Blender uses.

Failure to load the configuration for e.g. causes SSL to fail entirely
(causing downloading over HTTPS to fail).

Recently [0] de facto standard directory `/etc/ssl` was used however we
can't guarantee files in this path are compatible with Blender's SSL.

Use a known invalid path to resolve #114452.

Ref !114569

[0]: 60a8ae7830
This commit is contained in:
Campbell Barton 2023-11-07 23:20:58 +11:00
parent 0eb279de54
commit 5c6c71e6e8
1 changed files with 7 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
build_files/build_environment/cmake/ssl.cmake
View file

@ -37,16 +37,14 @@ else()
PREFIX ${BUILD_DIR}/ssl
CONFIGURE_COMMAND ${CONFIGURE_ENV} && cd ${BUILD_DIR}/ssl/src/external_ssl/ && ${SSL_CONFIGURE_COMMAND} --prefix=${LIBDIR}/ssl
--openssldir=${LIBDIR}/ssl
# Without this: Python will use the build directories:
# To see these values in use, check the output of `ssl.get_default_verify_paths()`.
# This definition causes the following values to be set:
# - `capath='/etc/ssl/certs'`
# - `openssl_cafile='/etc/ssl/cert.pem'`
# - `openssl_capath='/etc/ssl/certs'`
# Note that the output from the command `openssl info -configdir` on the users system
# would be ideal but this is more involved.
# Without this: Python will use the build directories.
# using the system directory `/etc/ssl` might seem the obvious choice,
# there is no guarantee the version of SSL used with Blender is compatible with the systems,
# where changes to the SSL configuration format can cause SSL not to load (see #114452).
# So reference a directory known not to exist. Ideally Blender could distribute it's own SSL
# directory, but this isn't compatible with hard coded paths.
# See #111132 & https://github.com/openssl/openssl/issues/20185 for details.
-DOPENSSLDIR=\\"/etc/ssl\\"
-DOPENSSLDIR=\\"/dev/null\\"
no-shared
no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms
--config=${CMAKE_CURRENT_SOURCE_DIR}/cmake/ssl.conf