From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Enge Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Wed, 19 Feb 2014 13:13:53 +0100 Message-ID: <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> References: <87ppmjn7ih.fsf@netris.org> <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> <87sirf8l6h.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40846) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WG62O-0007u7-UG for guix-devel@gnu.org; Wed, 19 Feb 2014 07:14:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WG62H-0003Kx-Ko for guix-devel@gnu.org; Wed, 19 Feb 2014 07:14:04 -0500 Received: from moutng.kundenserver.de ([212.227.126.187]:61926) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WG62H-0003Kh-C5 for guix-devel@gnu.org; Wed, 19 Feb 2014 07:13:57 -0500 Content-Disposition: inline In-Reply-To: <87sirf8l6h.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org On Wed, Feb 19, 2014 at 05:13:26AM -0500, Mark H Weaver wrote: > However, GnuTLS does not support an environment variable setting, so we > would have to patch the code (add_system_trust in lib/system.c). I > strongly considered doing this, but I'm worried about the possible > security implications. For example, consider a setuid program that uses > GnuTLS and assumes that the person who ran the program will not be > capable of changing the trust store that GnuTLS uses. This assumption > would be correct for the upstream GnuTLS, but not for ours. > > Here's the thing: GnuTLS does not trust the system store by default. > The program has to call 'gnutls_certificate_set_x509_system_trust' to > use the system trust store. Therefore, individual programs can still > allow the user to override the system trust store. > > For example, look at the code for 'wget' (ssl_init in src/gnutls.c). If > you put "ca_directory = " in ~/.wgetrc, then wget does not > call 'gnutls_certificate_set_x509_system_trust'. Instead, it trusts > only the certs in the specified user directory. This is an interesting feature. > So, in the end, I don't think we should mess around with the way GnuTLS > was designed. I think we should provide a hard-coded system-wide > location to allow 'gnutls_certificate_set_x509_system_trust' to work as > it was intended, and instead we should make sure that each individual > program has a way to override that. I am still uneasy with this situation, even more so as long as we do not have the gnu system: Currently, the guix gnutls would point to the ssl certificates that debian installed (or did not install) in /etc; we will get behaviour that depends a lot on the outside system instead of being self-contained. Andreas