Windows: Use calibre's bundled SSL certificates instead of the system store by default

I am tired of all the bug reports about SSL cerificate verify failures
on windows caused by the windows certificate store not having needed
intermediate certificates. So use the bundled certificates instead which
are the set of certificates trusted by Firefox and curl.

Can be turned off via CALIBRE_USE_SYSTEM_CERTIFICATES=1 env var
This commit is contained in:
Kovid Goyal 2024-10-08 15:06:35 +05:30
parent a003b0303d
commit 97d476811a
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
4 changed files with 13 additions and 1 deletions

View File

@ -17,6 +17,7 @@ set_env_vars(const char* contents_path) {
for (size_t i = 0; i < arraysz(env_vars); i++) {
env_var = env_vars[i]; val = env_var_vals[i];
if (strcmp(env_var, "SSL_CERT_FILE") == 0 && getenv("CALIBRE_USE_SYSTEM_CERTIFICATES") && strcmp(getenv("CALIBRE_USE_SYSTEM_CERTIFICATES"), "1") == 0) continue;
if (strstr(val, EXE) == val && strlen(val) >= sizeof(EXE)) {
snprintf(buf, sizeof(buf) - 1, "%s%s", contents_path, val + sizeof(EXE) - 1);
setenv(env_var, buf, 1);

View File

@ -49,6 +49,12 @@ get_install_locations(void) {
_wputenv_s(L"QTWEBENGINE_DISABLE_SANDBOX", "1");
_snwprintf_s(qt_prefix_dir, MAX_PATH-1, _TRUNCATE, L"%ls\\app", interpreter_data.app_dir);
_wputenv_s(L"CALIBRE_QT_PREFIX", qt_prefix_dir);
// Lots of people have trouble with various websites failing to download
// because of missing intermediate certificates in the windows store
// so use the Mozilla certificate bundle
_snwprintf_s(qt_prefix_dir, MAX_PATH-1, _TRUNCATE, L"%ls\\mozilla-ca-certs.pem", interpreter_data.resources_path);
const char *s = getenv("CALIBRE_USE_SYSTEM_CERTIFICATES");
if (!s || strcmp(s, "1") != 0) _wputenv_s(L"SSL_CERT_FILE", qt_prefix_dir);
}
static void

View File

@ -52,6 +52,7 @@ Environment variables
the system theme -- beware of crashes and hangs.
* ``CALIBRE_SHOW_DEPRECATION_WARNINGS`` - causes calibre to print deprecation warnings to stdout. Useful for calibre developers.
* ``CALIBRE_NO_DEFAULT_PROGRAMS`` - prevent calibre from automatically registering the filetypes it is capable of handling with Windows.
* ``CALIBRE_USE_SYSTEM_CERTIFICATES`` - make calibre use the system certificate store for SSL certificate verification instead of its own certificate store on Windows and macOS.
* ``QT_QPA_PLATFORM`` - On Linux set this to ``wayland`` to force calibre to use Wayland and ``xcb`` to force use of X11.
* ``SYSFS_PATH`` - Use if sysfs is mounted somewhere other than /sys
* ``http_proxy``, ``https_proxy`` - used on Linux to specify an HTTP(S) proxy

View File

@ -1479,9 +1479,13 @@ def sanitize_env_vars():
}
elif iswindows:
env_vars = {'OPENSSL_MODULES': None, 'QTWEBENGINE_DISABLE_SANDBOX': None}
if os.environ.get('CALIBRE_USE_SYSTEM_CERTIFICATES', '') != '1':
env_vars['SSL_CERT_FILE'] = None
elif ismacos:
env_vars = {k:None for k in (
'FONTCONFIG_FILE FONTCONFIG_PATH SSL_CERT_FILE OPENSSL_ENGINES OPENSSL_MODULES').split()}
'FONTCONFIG_FILE FONTCONFIG_PATH OPENSSL_ENGINES OPENSSL_MODULES').split()}
if os.environ.get('CALIBRE_USE_SYSTEM_CERTIFICATES', '') != '1':
env_vars['SSL_CERT_FILE'] = None
else:
env_vars = {}