From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CAiTL9IwVWBrYAAA0tVLHw (envelope-from ) for ; Fri, 19 Mar 2021 23:16:34 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id COJdK9IwVWD4DQAAB5/wlQ (envelope-from ) for ; Fri, 19 Mar 2021 23:16:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1E61325647 for ; Sat, 20 Mar 2021 00:16:33 +0100 (CET) Received: from localhost ([::1]:49444 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lNOM2-0000bk-Sh for larch@yhetil.org; Fri, 19 Mar 2021 19:16:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52356) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNOLb-0000aC-3p for bug-guix@gnu.org; Fri, 19 Mar 2021 19:16:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39632) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lNOLa-0002du-S1 for bug-guix@gnu.org; Fri, 19 Mar 2021 19:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lNOLa-0004ID-LM for bug-guix@gnu.org; Fri, 19 Mar 2021 19:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 19 Mar 2021 23:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46779 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 46779-submit@debbugs.gnu.org id=B46779.161619572716456 (code B ref 46779); Fri, 19 Mar 2021 23:16:02 +0000 Received: (at 46779) by debbugs.gnu.org; 19 Mar 2021 23:15:27 +0000 Received: from localhost ([127.0.0.1]:51178 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNOL0-0004HM-Ll for submit@debbugs.gnu.org; Fri, 19 Mar 2021 19:15:26 -0400 Received: from world.peace.net ([64.112.178.59]:59252) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNOKx-0004H7-4H for 46779@debbugs.gnu.org; Fri, 19 Mar 2021 19:15:25 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lNOKq-0005eW-8r; Fri, 19 Mar 2021 19:15:16 -0400 From: Mark H Weaver In-Reply-To: <87y2f7td00.fsf@gnu.org> References: <87im6f9aq2.fsf@gmail.com> <87y2f7td00.fsf@gnu.org> Date: Fri, 19 Mar 2021 19:13:36 -0400 Message-ID: <87o8fen3d0.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46779@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616195793; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=rNvKQeyIN+4hEryDFGAL8OQw8cAH1P6bGkAZFXJPcUY=; b=usWoom33+uJlYiiRlE1Ifpgk9vr92zxnfCtu03eyzTh+p+juEUMOTC3cMUdaYmSPsGvUdN IW+LGq1VYmSpvVi8js9KpU7eFCriIfV2ZREpb5AFrFP+DN+ToSZP0kmfY83Z57Q/bAhkgx B+RB1clBYZGy8zxNS8dhAcnze+hDWzx4n+6VSTDbz5eU3apDo2dsHYKWnMvdb0FI3eDJbY 72GWXTaC6aQtEE5BnMUEMhcdxQ89vekCenmojI3vh4iaQt3RF+2uSP+n139Igbqbt33suJ yEU8G25w1AFbFbWeZfwJcP/hTDHLXG37hJAPrn6r7MUIR1+tmGt6I4PGiVxTKA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616195793; a=rsa-sha256; cv=none; b=YAcAaVQ8ux3N9cylhzy4gZrHvJSHs+QEpsiDocLfN30TJYozV77Wl3Pgctg7Xv50fLnuzz bu7xEZZSjsP47tyjX2d9hURvy+oNdobrtplb6ByRuu3xnbEFxqlpmueen6PTO6Hi+xRFaT pj/12qXZ9T7Qga09Gyw2Q1l9y0RdAArXsFn2fyce2Vcmqyr0PBhHd60nco8IFzQTWRLof/ E4BfZxu8Gsk+h8FSUuZLPUHPGCqxBIX2pxnH4xbXpRqhXL3LeKejSZU3c06neFQIaumloO QntfuGsE1VNPX7zUT0vaO7aRzecAlK8237Snys+SNf6T77NNJHp1JmCw/HxlQw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.41 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 1E61325647 X-Spam-Score: -2.41 X-Migadu-Scanner: scn0.migadu.com X-TUID: crBudwWQyF0k Ludovic Court=C3=A8s writes: > Maxim Cournoyer skribis: > >> We should patch GnuTLS so that it also honors the SSL_* environment >> variables documented in the Guix manual. > > Note that (1) the SSL_* variables are originally from OpenSSL, and (2) > GnuTLS developers made the conscious decision to not honor any > environment variable, leaving it up to application developers to do > that. > > That=E2=80=99s the reason we are in this situation. See the thread at > . That thread is worth reading, but for those who are short on time, I want to call attention to a specific point I made: However, GnuTLS does not support an environment variable setting, so we would have to patch the code (add_system_trust in lib/system.c). I strongly considered doing this, but I'm worried about the possible security implications. For example, consider a setuid program that uses GnuTLS and assumes that the person who ran the program will not be capable of changing the trust store that GnuTLS uses. This assumption would be correct for the upstream GnuTLS, but not for ours. Thanks, Mark