From: Mark H Weaver <mhw@netris.org>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Wed, 19 Feb 2014 05:13:26 -0500 [thread overview]
Message-ID: <87sirf8l6h.fsf@netris.org> (raw)
In-Reply-To: <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> (Andreas Enge's message of "Wed, 19 Feb 2014 10:26:44 +0100")
Hi Andreas,
Andreas Enge <andreas@enge.fr> writes:
> On Tue, Feb 18, 2014 at 09:47:18PM -0500, Mark H Weaver wrote:
>> This patch is needed to allow gnutls to find the system-wide trust store
>> (trusted CA certificates).
>
>> + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt")))
>
> As there is no system, and we advertise per user configuration, should this
> not rather be $HOME/.guix-profile/etc/...? Which probably does not work
> as it would be needed to be "resolved" at execution time. Is there any way
> of telling gnutls to use an environment variable?
I'm very sympathetic to your point of view. I agree that each user
should be able to decide which CA certificates to trust.
However, GnuTLS does not support an environment variable setting, so we
would have to patch the code (add_system_trust in lib/system.c). I
strongly considered doing this, but I'm worried about the possible
security implications. For example, consider a setuid program that uses
GnuTLS and assumes that the person who ran the program will not be
capable of changing the trust store that GnuTLS uses. This assumption
would be correct for the upstream GnuTLS, but not for ours.
Here's the thing: GnuTLS does not trust the system store by default.
The program has to call 'gnutls_certificate_set_x509_system_trust' to
use the system trust store. Therefore, individual programs can still
allow the user to override the system trust store.
For example, look at the code for 'wget' (ssl_init in src/gnutls.c). If
you put "ca_directory = <DIRECTORY>" in ~/.wgetrc, then wget does not
call 'gnutls_certificate_set_x509_system_trust'. Instead, it trusts
only the certs in the specified user directory.
So, in the end, I don't think we should mess around with the way GnuTLS
was designed. I think we should provide a hard-coded system-wide
location to allow 'gnutls_certificate_set_x509_system_trust' to work as
it was intended, and instead we should make sure that each individual
program has a way to override that.
What do you think?
Regards,
Mark
next prev parent reply other threads:[~2014-02-19 10:14 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-19 2:47 [PATCH] gnu: gnutls: Configure location of system-wide trust store Mark H Weaver
2014-02-19 9:26 ` Andreas Enge
2014-02-19 10:13 ` Mark H Weaver [this message]
2014-02-19 12:13 ` Andreas Enge
2014-02-19 13:40 ` Ludovic Courtès
2014-02-19 14:08 ` Andreas Enge
2014-02-19 14:37 ` Sree Harsha Totakura
2014-02-19 21:52 ` Ludovic Courtès
2014-02-20 19:39 ` Andreas Enge
2014-02-20 22:08 ` Ludovic Courtès
2014-02-20 18:01 ` Mark H Weaver
-- strict thread matches above, loose matches on Subject: below --
2015-02-02 23:11 Mark H Weaver
2015-02-03 0:01 ` David Thompson
2015-02-03 20:53 ` Ludovic Courtès
2015-02-03 20:57 ` Marek Benc
2015-02-04 12:36 ` Andreas Enge
2015-02-04 12:42 ` Andreas Enge
2015-02-04 15:35 ` Mark H Weaver
2015-02-05 9:59 ` Andreas Enge
2015-02-08 13:36 ` Andreas Enge
2015-02-08 14:29 ` Andreas Enge
2015-02-08 15:24 ` Andreas Enge
2015-02-08 15:59 ` Mark H Weaver
2015-02-15 5:17 ` Mark H Weaver
2015-02-15 9:16 ` Andreas Enge
2015-02-15 16:59 ` Mark H Weaver
2015-02-23 21:34 ` Ludovic Courtès
2015-02-24 20:31 ` Mark H Weaver
2015-02-25 0:25 ` Andreas Enge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sirf8l6h.fsf@netris.org \
--to=mhw@netris.org \
--cc=andreas@enge.fr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).