From 5c6c71e6e8838c72724bd0ae8f8be5581ce78281 Mon Sep 17 00:00:00 2001
From: Campbell Barton <campbell@blender.org>
Date: Tue, 7 Nov 2023 23:20:58 +1100
Subject: [PATCH] Build: prevent OpenSSL using /etc/ssl on macOS & Linux

Using /etc/ssl only makes sense when the versions of SSL on the system
is compatible with the version Blender uses.

Failure to load the configuration for e.g. causes SSL to fail entirely
(causing downloading over HTTPS to fail).

Recently [0] de facto standard directory `/etc/ssl` was used however we
can't guarantee files in this path are compatible with Blender's SSL.

Use a known invalid path to resolve #114452.

Ref !114569

[0]: 60a8ae7830acd09c3d8e9ab52630d48ecd4d281b
---
 build_files/build_environment/cmake/ssl.cmake | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/build_files/build_environment/cmake/ssl.cmake b/build_files/build_environment/cmake/ssl.cmake
index dff24addf00..12df8ea0e14 100644
--- a/build_files/build_environment/cmake/ssl.cmake
+++ b/build_files/build_environment/cmake/ssl.cmake
@@ -37,16 +37,14 @@ else()
     PREFIX ${BUILD_DIR}/ssl
     CONFIGURE_COMMAND ${CONFIGURE_ENV} && cd ${BUILD_DIR}/ssl/src/external_ssl/ && ${SSL_CONFIGURE_COMMAND} --prefix=${LIBDIR}/ssl
       --openssldir=${LIBDIR}/ssl
-      # Without this: Python will use the build directories:
-      # To see these values in use, check the output of `ssl.get_default_verify_paths()`.
-      # This definition causes the following values to be set:
-      # - `capath='/etc/ssl/certs'`
-      # - `openssl_cafile='/etc/ssl/cert.pem'`
-      # - `openssl_capath='/etc/ssl/certs'`
-      # Note that the output from the command `openssl info -configdir` on the users system
-      # would be ideal but this is more involved.
+      # Without this: Python will use the build directories.
+      # using the system directory `/etc/ssl` might seem the obvious choice,
+      # there is no guarantee the version of SSL used with Blender is compatible with the systems,
+      # where changes to the SSL configuration format can cause SSL not to load (see #114452).
+      # So reference a directory known not to exist. Ideally Blender could distribute it's own SSL
+      # directory, but this isn't compatible with hard coded paths.
       # See #111132 & https://github.com/openssl/openssl/issues/20185 for details.
-      -DOPENSSLDIR=\\"/etc/ssl\\"
+      -DOPENSSLDIR=\\"/dev/null\\"
       no-shared
       no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms
       --config=${CMAKE_CURRENT_SOURCE_DIR}/cmake/ssl.conf