From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Sun, 15 Feb 2015 00:17:59 -0500
Message-ID: <87wq3jah2w.fsf@netris.org>
References: <87r3u7di49.fsf@netris.org>
	<20150204123652.GA21908@debian.eduroam.u-bordeaux.fr>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35021)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YMrah-0004Fu-JF
	for guix-devel@gnu.org; Sun, 15 Feb 2015 00:18:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YMrad-0006ID-Ia
	for guix-devel@gnu.org; Sun, 15 Feb 2015 00:17:59 -0500
Received: from world.peace.net ([50.252.239.5]:49610)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YMrad-0006I1-F9
	for guix-devel@gnu.org; Sun, 15 Feb 2015 00:17:55 -0500
In-Reply-To: <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> (Andreas
	Enge's message of "Wed, 4 Feb 2015 13:36:52 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org

Andreas Enge <andreas@enge.fr> writes:

> On Mon, Feb 02, 2015 at 06:11:02PM -0500, Mark H Weaver wrote:
>> +             "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt")))
>
> I would suggest to use --with-default-trust-store-dir=/etc/ssl/certs instead.
> The option is available in gnutls-3.3.12, which I am building in the
> wip-gnutls branch right now, and which looks good to push.
>
> This would allow us to provide not only a single file, but to potentially
> merge different trust stores. We could also, for instance, prepare a package
> per certification authority, so that the user could install exactly the
> ones he trusts.

It turns out there's a problem with our lack of a single-file
certificate bundle.  Curl has two options to specifying the location of
the trust store: CURLOPT_CAINFO names a single file, and CURLOPT_CAPATH
names a directory.  Unfortunately, although CURLOPT_CAINFO is supported
on both GnuTLS and OpenSSL, CURLOPT_CAPATH is only supported on OpenSSL.

Git uses Curl to fetch from https URLs.  Git supports both
GIT_SSL_CAINFO and GIT_SSL_CAPATH environment variables, and pass those
on to CURLOPT_CAINFO and CURLOPT_CAPATH.

I've set GIT_SSL_CAINFO in my environment for a long time to make Git
check certificates properly on GuixSD, but without the single-file
certificate bundle, I've lost certificate checking in Git.

I see a few ways forward:

(1) Curl's GnuTLS backend could grow support for CURLOPT_CAPATH.

(2) We could create single-file certificate bundles in our certificate
    packages and add support to our profile builder to merge them
    together properly.

(3) We could build Curl with OpenSSL for now.

Option (1) seems best, if someone wants to volunteer for that job very
soon.  In the meantime, I like option (2).

What do you think?

      Mark