unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: "Raghav Gururajan" <rvgn@disroot.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: 34861@debbugs.gnu.org
Subject: bug#34861: TLS Error with Flatpak
Date: Mon, 18 Mar 2019 23:10:48 +0000	[thread overview]
Message-ID: <2d04774df83fe600777de7b8f26aca87@disroot.org> (raw)
In-Reply-To: <87ef73yiyr.fsf@elephly.net>

[-- Attachment #1: Type: text/plain, Size: 3018 bytes --]

Hello Ricardo!

Please find the following information.

FROM FLATPAK SOURECODE:

SoupSession *
flatpak_create_soup_session (const char *user_agent)
{
SoupSession *soup_session;
const char *http_proxy;

soup_session = soup_session_new_with_options (SOUP_SESSION_USER_AGENT, user_agent,
SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
SOUP_SESSION_TIMEOUT, 60,
SOUP_SESSION_IDLE_TIMEOUT, 60,
NULL);
soup_session_remove_feature_by_type (soup_session, SOUP_TYPE_CONTENT_DECODER);
http_proxy = g_getenv ("http_proxy");
if (http_proxy)
{
g_autoptr(SoupURI) proxy_uri = soup_uri_new (http_proxy);
if (!proxy_uri)
g_warning ("Invalid proxy URI '%s'", http_proxy);
else
g_object_set (soup_session, SOUP_SESSION_PROXY_URI, proxy_uri, NULL);
}

if (g_getenv ("OSTREE_DEBUG_HTTP"))
soup_session_add_feature (soup_session, (SoupSessionFeature *) soup_logger_new (SOUP_LOGGER_LOG_BODY, 500));

return soup_session;
}

FROM LIBSOUP MANUAL:

The “ssl-use-system-ca-file” property

“ssl-use-system-ca-file” gboolean

Setting this to TRUE is equivalent to setting “tls-database” to the default system CA database. (and likewise, setting “tls-database” to the default database by hand will cause this property to become TRUE).

Setting this to FALSE (when it was previously TRUE) will clear the “tls-database” field.

See “ssl-strict” for more information on how https certificate validation is handled.

The “ssl-strict” property

“ssl-strict” gboolean

Normally, if “tls-database” is set (including if it was set via “ssl-use-system-ca-file” or “ssl-ca-file”), then libsoup will reject any certificate that is invalid (ie, expired) or that is not signed by one of the given CA certificates, and the SoupMessage will fail with the status SOUP_STATUS_SSL_FAILED.

If you set “ssl-strict” to FALSE, then all certificates will be accepted, and you will need to call soup_message_get_https_status() to distinguish valid from invalid certificates. (This can be used, eg, if you want to accept invalid certificates after giving some sort of warning.)

For a plain SoupSession, if the session has no CA file or TLS database, and this property is TRUE, then all certificates will be rejected.

--
Regards,
RG.

March 18, 2019 9:24 PM, "Ricardo Wurmus" <rekado@elephly.net (mailto:rekado@elephly.net)> wrote:
 Raghav Gururajan <rvgn@disroot.org (mailto:rvgn@disroot.org)> writes:
 Yes, I did them. Still did not work.

I did the following to set env variables:

$ guix package -i nss-certs
$ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
$ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
$ export GIT_SSL_CAINFO="$SSL_CERT_FILE" 

Flatpak uses libsoup with SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE. libsoup
delegates TLS handling to glib-networking.

Raghav, could you trace flatpak to see what certificate files it is
trying to access?

--
Ricardo

[-- Attachment #2: Type: text/html, Size: 3643 bytes --]

  parent reply	other threads:[~2019-03-18 23:11 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-14 20:36 bug#34861: TLS Error with Flatpak Raghav Gururajan
2019-03-18  9:49 ` Ludovic Courtès
2019-03-18 17:31 ` Raghav Gururajan
2019-03-18 21:24   ` Ricardo Wurmus
2019-03-18 23:10   ` Raghav Gururajan [this message]
2019-03-19  0:21     ` Ricardo Wurmus
2019-03-19  0:43     ` Raghav Gururajan
2019-03-22 21:00       ` Ludovic Courtès
2019-03-23  4:02       ` Raghav Gururajan
2019-03-23  8:05         ` Ricardo Wurmus
2019-03-24  6:48         ` Raghav Gururajan
2019-03-24 22:13           ` Ludovic Courtès
2019-03-24 22:13           ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2d04774df83fe600777de7b8f26aca87@disroot.org \
    --to=rvgn@disroot.org \
    --cc=34861@debbugs.gnu.org \
    --cc=rekado@elephly.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).