From: Roel Janssen <roel@gnu.org>
To: "Mark H Weaver" <mhw@netris.org>,
"Ludovic Courtès" <ludo@gnu.org>,
"Maxim Cournoyer" <maxim.cournoyer@gmail.com>
Cc: 46779@debbugs.gnu.org
Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
Date: Mon, 11 Oct 2021 12:59:24 +0200 [thread overview]
Message-ID: <02120ab2080916fba3d6ff6b6909e4d478739b10.camel@gnu.org> (raw)
In-Reply-To: <87k0in1gur.fsf@netris.org>
On Fri, 2021-10-08 at 15:00 -0400, Mark H Weaver wrote:
> Roel Janssen <roel@gnu.org> writes:
>
> > On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote:
> > > Ludovic Courtès <ludo@gnu.org> writes:
> > >
> > > > Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> > > >
> > > > > We should patch GnuTLS so that it also honors the SSL_*
> > > > > environment
> > > > > variables documented in the Guix manual.
> > > >
> > > > Note that (1) the SSL_* variables are originally from OpenSSL, and
> > > > (2)
> > > > GnuTLS developers made the conscious decision to not honor any
> > > > environment variable, leaving it up to application developers to do
> > > > that.
> > > >
> > > > That’s the reason we are in this situation. See the thread at
> > > > <
> > > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html
> > > > > .
> > >
> > > That thread is worth reading, but for those who are short on time, I
> > > want to call attention to a specific point I made:
> > >
> > > However, GnuTLS does not support an environment variable setting,
> > > so we
> > > would have to patch the code (add_system_trust in lib/system.c). I
> > > strongly considered doing this, but I'm worried about the possible
> > > security implications. For example, consider a setuid program that
> > > uses
> > > GnuTLS and assumes that the person who ran the program will not be
> > > capable of changing the trust store that GnuTLS uses. This
> > > assumption
> > > would be correct for the upstream GnuTLS, but not for ours.
> > >
> > > <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
> > >
> >
> > Would it be an idea to propose the patches, or the idea, for supporting
> > the SSL_* variables to the GnuTLS developers?
>
> Sure, please feel free to discuss it with them.
I submitted a feature request here:
https://gitlab.com/gnutls/gnutls/-/issues/1279
> > Or is there a more fundamental reason why GnuTLS does not support
> > changing certificate stores at run-time?
>
> I don't know. It's been many years since I looked at this.
>
Well, thank you for having looked at it in the past. :)
Hopefully we will find out more by means of the feature request I submitted.
Kind regards,
Roel Janssen
prev parent reply other threads:[~2021-10-11 11:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 20:03 bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates Maxim Cournoyer
2021-03-01 9:54 ` Ludovic Courtès
2021-03-19 23:13 ` Mark H Weaver
2021-10-07 10:28 ` Roel Janssen
2021-10-08 19:00 ` Mark H Weaver
2021-10-11 10:59 ` Roel Janssen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02120ab2080916fba3d6ff6b6909e4d478739b10.camel@gnu.org \
--to=roel@gnu.org \
--cc=46779@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.