mingw-w64-neon: 'issuer not trusted' certificate error

[openhs]

Making connection with Neon library to HTTPS servers fails with error 'issuer not trusted' under mingw64. Same connections pass correctly under Linux.

Below is an example of code that fails under mingw64 and passes under Linux.

...
ne_session *sess = ne_session_create("https", "slashdot.org", 443);
ne_ssl_trust_default_ca(sess);
ne_request *req = ne_request_create(sess, "GET", "/");
if (ne_request_dispatch(req)) {
    printf("Request failed: %s\n", ne_get_error(sess));
} else {
    printf("Response status: %d\n", ne_get_status(req)->code);
};
...

Output under mingw64 is: Request failed: Server certificate verification failed: issuer is not trusted Output under Linux is: Response status: 200

In contrast with mingw64, Neon under Linux is built without specifying CA bundle (without --with-ca-bundle) (Neon 0.31.2 under is Gentoo Linux was used). However doing the same under mingw64 does not help.

What actually helps is specifying full path in Windows format. So with following change in PKGBUILD it works (note, both paths actually points to the same file but with different format):

replace: --with-ca-bundle=${MINGW_PREFIX}/ssl/certs/ca-bundle.crt

with: C:/tools/msys64/mingw64/ssl/certs/ca-bundle.crt

Not sure what a proper fix should look like though.

Exact Neon version is: mingw-w64-x86_64-neon-0.31.2-3

[Biswa96]

@1480c1 Another candidate for pathtools?

[revelator]

maybe --with-ca-bundle=$(cygpath -m ${MINGW_PREFIX}/ssl/certs/ca-bundle.crt) ?

[Biswa96]

It will take the build directory of CI.

[ZachBacon]

Ideally I guess you'd have to adapt neon itself for FHS compatibility on msys2 perhaps. Just a guess mind you

[revelator]

hmm yes some packages do seem to have hardcoded paths on windows, FHS adaptation might be the best bet.