bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

[Roel Janssen <roel@gnu.org>]

On Fri, 2021-10-08 at 15:00 -0400, Mark H Weaver wrote:
> Roel Janssen <roel@gnu.org> writes:
> 
> > On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote:
> > > Ludovic Courtès <ludo@gnu.org> writes:
> > > 
> > > > Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> > > > 
> > > > > We should patch GnuTLS so that it also honors the SSL_*
> > > > > environment
> > > > > variables documented in the Guix manual.
> > > > 
> > > > Note that (1) the SSL_* variables are originally from OpenSSL, and
> > > > (2)
> > > > GnuTLS developers made the conscious decision to not honor any
> > > > environment variable, leaving it up to application developers to do
> > > > that.
> > > > 
> > > > That’s the reason we are in this situation.  See the thread at
> > > > <
> > > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html
> > > > > .
> > > 
> > > That thread is worth reading, but for those who are short on time, I
> > > want to call attention to a specific point I made:
> > > 
> > >   However, GnuTLS does not support an environment variable setting,
> > > so we
> > >   would have to patch the code (add_system_trust in lib/system.c).  I
> > >   strongly considered doing this, but I'm worried about the possible
> > >   security implications.  For example, consider a setuid program that
> > > uses
> > >   GnuTLS and assumes that the person who ran the program will not be
> > >   capable of changing the trust store that GnuTLS uses.  This
> > > assumption
> > >   would be correct for the upstream GnuTLS, but not for ours.
> > > 
> > > <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
> > > 
> > 
> > Would it be an idea to propose the patches, or the idea, for supporting
> > the SSL_* variables to the GnuTLS developers?
> 
> Sure, please feel free to discuss it with them.

I submitted a feature request here:
https://gitlab.com/gnutls/gnutls/-/issues/1279

> > Or is there a more fundamental reason why GnuTLS does not support
> > changing certificate stores at run-time?
> 
> I don't know.  It's been many years since I looked at this.
> 

Well, thank you for having looked at it in the past. :)
Hopefully we will find out more by means of the feature request I submitted.

Kind regards,
Roel Janssen