curl: mitigate migration to OpenSSL on Linux

The problem is that curl 8.3.0 removed the NSS backend, so we now
have no other choice than to use the bundled OpenSSL on Linux.

Currently any curl https connection fails with:

  CurlSession.cxx:963: curl_easy_perform failed: (60) SSL certificate problem: unable to get local issuer certificate

Apparently this requires manually telling curl which CA certificates to
trust; there is a configure flag --with-ca-bundle but that is useless as
it tries to load the file relative to whatever is the current working
directory, and also did i mention that there are at least 3 different
locations where a Linux system may store its system trusted CA
certificates because ALL ABOUT CHOICE.

So add a new header with an init function to try out various file
locations listed in this nice blog article and call it from way too many
places that independently use curl.

https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

TODO: perhaps bundle a cacert.pem as a fallback in case the system chose
to innovate by putting its certificates in yet another unexpected place

(regression from commit c2930ebff82c4f7ffe8377ab82627131f8544226)

Change-Id: Ibf1cc0069bc2ae011ecead9a4c2b455e94b01241
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158915
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

3 files changed, 11 insertions, 0 deletions

diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx
index b5ad2cb738ce..b8ef0b77f734 100644
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -56,6 +56,8 @@
 #include <ucbhelper/proxydecider.hxx>
 #include <ucbhelper/macros.hxx>
 #include <sax/tools/converter.hxx>
+#include <curlinit.hxx>
+
 #include <utility>
 
 #include "auth_provider.hxx"
@@ -332,6 +334,9 @@ namespace cmis
                     new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );
             libcmis::SessionFactory::setCertificateValidationHandler( certHandler );
 
+            // init libcurl callback
+            libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);
+
             // Get the auth credentials
             AuthProvider aAuthProvider(xEnv, m_xIdentifier->getContentIdentifier(), m_aURL.getBindingUrl());
             AuthProvider::setXEnv( xEnv );
diff --git a/ucb/source/ucp/ftp/ftploaderthread.cxx b/ucb/source/ucp/ftp/ftploaderthread.cxx
index f5ebfe36cdda..91130fc1bc9c 100644
--- a/ucb/source/ucp/ftp/ftploaderthread.cxx
+++ b/ucb/source/ucp/ftp/ftploaderthread.cxx
@@ -25,6 +25,8 @@
 #include "ftploaderthread.hxx"
 #include "curl.hxx"
 
+#include <curlinit.hxx>
+
 using namespace ftp;
 
 
@@ -75,6 +77,8 @@ CURL* FTPLoaderThread::handle() {
     if(!ret) {
         ret = curl_easy_init();
         if (ret != nullptr) {
+            ::InitCurl_easy(ret);
+
             // Make sure curl is not internally using environment variables like
             // "ftp_proxy":
             if (curl_easy_setopt(ret, CURLOPT_PROXY, "") != CURLE_OK) {
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index a881a1703dec..1d85d5df0ca5 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -35,6 +35,7 @@
 #include <rtl/uri.hxx>
 #include <rtl/strbuf.hxx>
 #include <rtl/ustrbuf.hxx>
+#include <curlinit.hxx>
 #include <config_version.h>
 
 #include <map>
@@ -680,6 +681,7 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
     assert(rc == CURLE_OK);
     rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
     assert(rc == CURLE_OK);
+    ::InitCurl_easy(m_pCurl.get());
     // tdf#149921 by default, with schannel (WNT) connection fails if revocation
     // lists cannot be checked; try to limit the checking to when revocation
     // lists can actually be retrieved (usually not the case for self-signed CA)