/etc/ssl/certs and the certificate bundle

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: /etc/ssl/certs and the certificate bundle
Date: Mon, 02 Mar 2015 23:12:40 +0100	[thread overview]
Message-ID: <87zj7v2gmf.fsf_-_@gnu.org> (raw)
In-Reply-To: <87sidvhx0t.fsf@netris.org> (Mark H. Weaver's message of "Tue, 24 Feb 2015 15:31:14 -0500")

Mark H Weaver <mhw@netris.org> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Mark H Weaver <mhw@netris.org> skribis:
>>
>>> No, it's not worse than it was before.  Sorry if I gave that impression.
>>> The only issue is that we might need to generate a single-file
>>> certificate bundle for now, because I haven't found a way to get 'git'
>>> to check certificates on GuixSD without a single-file cert bundle, at
>>> least not when curl is build with GnuTLS.
>>
>> It seems like adding this single-file bundle would be the simplest
>> short-term option.  How would we create that file exactly?
>
> The single-file bundle is just a concatenation of all the individual PEM
> data, starting with "-----BEGIN CERTIFICATE-----" and ending with
> "-----END CERTIFICATE-----", including those delimiters.
>
> The only caveat is that the individual PEM files are not required to
> have a newline after the "-----END CERTIFICATE-----", but in the
> single-file cert bundle, we must ensure that the newline is present.
> See <https://bugs.debian.org/635570>.

OK, I’ve implemented this for GuixSD in commit 993300f.  Thanks to you
and Andreas for your help.

> In order to support multiple packages containing CA certs, it would be
> good to handle creation of the single-file cert bundle in the profile
> generation code, analogous to our handling of info "dir" files.  This
> would allow us to create additional cert packages (e.g. one for
> CAcert.org).
>
> I think it belongs in the profile generation code for the benefit of
> users running Guix packages on top of another distro, where they might
> not have root access.  They can simply set GIT_SSL_CAINFO and
> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt
>
> What do you think?

It’s a good but as of yet unimplemented idea.

Although I now realize we could perhaps simple move the
‘certificate-bundle’ procedure to (guix profile), add the certificate
package to the system profile, and make /etc/ssl a symlink to
/run/current-system/profile/etc/ssl.

However there’s the complication that all the files of ‘nss-certs’ would
still be there in addition to the bundle.  Hmm.

Thoughts?

Ludo’.

next prev parent reply	other threads:[~2015-03-02 22:12 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-02 23:11 [PATCH] gnu: gnutls: Configure location of system-wide trust store Mark H Weaver
2015-02-03  0:01 ` David Thompson
2015-02-03 20:53 ` Ludovic Courtès
2015-02-03 20:57   ` Marek Benc
2015-02-04 12:36 ` Andreas Enge
2015-02-04 12:42   ` Andreas Enge
2015-02-04 15:35   ` Mark H Weaver
2015-02-05  9:59     ` Andreas Enge
2015-02-08 13:36     ` Andreas Enge
2015-02-08 14:29       ` Andreas Enge
2015-02-08 15:24         ` Andreas Enge
2015-02-08 15:59       ` Mark H Weaver
2015-02-15  5:17   ` Mark H Weaver
2015-02-15  9:16     ` Andreas Enge
2015-02-15 16:59       ` Mark H Weaver
2015-02-23 21:34         ` Ludovic Courtès
2015-02-24 20:31           ` Mark H Weaver
2015-02-25  0:25             ` Andreas Enge
2015-03-02 22:12             ` Ludovic Courtès [this message]
2015-03-03  2:25               ` /etc/ssl/certs and the certificate bundle Mark H Weaver
2015-03-03  7:29               ` [PATCHES] profiles: Produce a single-file CA " Mark H Weaver
2015-03-03  8:27                 ` Mark H Weaver
2015-03-03 12:23                   ` Andreas Enge
2015-03-03 12:32                   ` Ludovic Courtès
2015-03-03 19:33                     ` Mark H Weaver
2015-03-03 20:04                       ` Ludovic Courtès
2015-03-03 12:43                 ` Ludovic Courtès
2015-03-03 12:55                   ` Andreas Enge
2015-03-03 20:27                     ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87zj7v2gmf.fsf_-_@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=mhw@netris.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).