curl failing with https urls when using TKLDev squid (SSL-bump) proxy #2083
Description
Use of curl in TKLDev via the pre-configured squid proxy fails for https URLs. TBH I'm not sure why we hadn't hit that in v18.x, but my research suggests that the issue is that by default curl will refuse to accept any self signed certs - even when provided by a squid proxy with SSl-bump config (as TKLDev uses) and the cert preloaded into the "trusted" cert store. Instead is seems that curl will only accept a cert that explicitly matches the domain. That would explain why wget works but curl doesn't.
I haven't tested but it looks like explicitly specifying the ca cert which signed the self-signed cert should allow curl to work as desired. I.e.:
curl --cacert /usr/local/share/ca-certificates/squid_proxyCA.crt https://remote-site.com
There is an alternate --ca-native switch that should also work but explicitly setting the ca cert to use is preferred IMO.
Assuming that the above works as I expect it to, then adding a check for the ca cert file and appending --cacert /usr/local/share/ca-certificates/squid_proxyCA.crt if it exists is probably the "best" fix?
Workaround disable squid proxy by setting NO_PROXY=true and/or FAB_HTTP_PROXY & FAB_HTTPS_PROXY.
feature request?
Also seeing as we use individual dl() bash functions (which leverage curl and set the proxy when relevant) in lots of places in the build (individual apps and common) then perhaps creating a standalone script (and put it in a common overlay) for that functionality would be a good idea?
more info/detail: https://stackoverflow.com/a/71737602/3363571