From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wEGkHXwZZGFEFwEAgWs5BA (envelope-from ) for ; Mon, 11 Oct 2021 13:01:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id yPZ5F3wZZGHwYQAAbx9fmQ (envelope-from ) for ; Mon, 11 Oct 2021 11:01:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D2C9E14FD7 for ; Mon, 11 Oct 2021 13:01:15 +0200 (CEST) Received: from localhost ([::1]:54562 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZt3S-0003Va-Bi for larch@yhetil.org; Mon, 11 Oct 2021 07:01:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51178) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZt2I-0003U2-VZ for bug-guix@gnu.org; Mon, 11 Oct 2021 07:00:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:45156) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZt2I-0006j1-L0 for bug-guix@gnu.org; Mon, 11 Oct 2021 07:00:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mZt2I-0001f6-Db for bug-guix@gnu.org; Mon, 11 Oct 2021 07:00:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates Resent-From: Roel Janssen Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 11 Oct 2021 11:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46779 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 46779-submit@debbugs.gnu.org id=B46779.16339499776325 (code B ref 46779); Mon, 11 Oct 2021 11:00:02 +0000 Received: (at 46779) by debbugs.gnu.org; 11 Oct 2021 10:59:37 +0000 Received: from localhost ([127.0.0.1]:56702 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZt1t-0001dw-9N for submit@debbugs.gnu.org; Mon, 11 Oct 2021 06:59:37 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49208) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZt1q-0001dk-RX for 46779@debbugs.gnu.org; Mon, 11 Oct 2021 06:59:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49812) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZt1k-0003xy-Ox; Mon, 11 Oct 2021 06:59:28 -0400 Received: from 2001-1c02-0b16-3700-3718-3a46-b1ae-ba54.cable.dynamic.v6.ziggo.nl ([2001:1c02:b16:3700:3718:3a46:b1ae:ba54]:45442) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZt1k-0007Ng-Fi; Mon, 11 Oct 2021 06:59:28 -0400 Message-ID: <02120ab2080916fba3d6ff6b6909e4d478739b10.camel@gnu.org> From: Roel Janssen Date: Mon, 11 Oct 2021 12:59:24 +0200 In-Reply-To: <87k0in1gur.fsf@netris.org> References: <87im6f9aq2.fsf@gmail.com> <87y2f7td00.fsf@gnu.org> <87o8fen3d0.fsf@netris.org> <87k0in1gur.fsf@netris.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 (3.40.4-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46779@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633950076; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=DnaWe35b1EXnMyqJza7xDjF+3LCdLoxBkL/BQ5/edzw=; b=fLz0bU7nxx69ARCNfKl34ZHJ+ooRlUNn0qK7rf5OeCGYXkDXtonyWvBKTKqSjTcsfFqj33 YosxaGAHSD8eQA1ms7swzGx53Gd38LzH/MyVnSwrPZqlzWcd+2O0u/ciAFtBLeKBkKcHl8 bUBFGhLg03xKTAYTT5aIKrSRROdHGhZEjJXjynHB/Oqb/Jan83ItZWrAAqLS9kWZdSz/Lv JhZFBpPInNWsy8/7uN/TYmQfGtllz4bh+CHv79w3akfvqcTEJXtBBD1JKNjKRAs+v9j+8v P6xI0V+40eV3SKISJIhieCN6CiUgV6PC2b36q93hG53/biVk2nu0aD+Ix7pAzA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633950076; a=rsa-sha256; cv=none; b=W4Ww+sXHYdJ7WzDv9Q9xjntGTfshJbY1I6UMDFd8JWcZslLkbqrc7atK2cQUQJmswYbkKW x2VKgENZ006I9T6NwFNzLoJk0AEV8jM2hqO2EEU6SmdPAM+2obtbROR/RbqUI4U/HNpvcg Nhqz/SqwUX8qxaPF2WTBDlIZRtOgGFgCYyVVAdtyCMqOkkMDJGzeerTBiFp1RmS3eo9CEi bYo2vOmrzwsU0wOLBtVWc7h/OIaRViqP7S11lEEUovfNR2RIq8dap+9DCK1cgQCSUfMktc Ve+ARfxvmB2YH9sxAE1PEXVe8d2pnpzcNh3QJsYQoa+/ed7gmIDWfVjWsoHbBQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.41 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: D2C9E14FD7 X-Spam-Score: -1.41 X-Migadu-Scanner: scn0.migadu.com X-TUID: DgfZo657kapV On Fri, 2021-10-08 at 15:00 -0400, Mark H Weaver wrote: > Roel Janssen writes: > > > On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote: > > > Ludovic Courtès writes: > > > > > > > Maxim Cournoyer skribis: > > > > > > > > > We should patch GnuTLS so that it also honors the SSL_* > > > > > environment > > > > > variables documented in the Guix manual. > > > > > > > > Note that (1) the SSL_* variables are originally from OpenSSL, and > > > > (2) > > > > GnuTLS developers made the conscious decision to not honor any > > > > environment variable, leaving it up to application developers to do > > > > that. > > > > > > > > That’s the reason we are in this situation.  See the thread at > > > > < > > > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html > > > > > . > > > > > > That thread is worth reading, but for those who are short on time, I > > > want to call attention to a specific point I made: > > > > > >   However, GnuTLS does not support an environment variable setting, > > > so we > > >   would have to patch the code (add_system_trust in lib/system.c).  I > > >   strongly considered doing this, but I'm worried about the possible > > >   security implications.  For example, consider a setuid program that > > > uses > > >   GnuTLS and assumes that the person who ran the program will not be > > >   capable of changing the trust store that GnuTLS uses.  This > > > assumption > > >   would be correct for the upstream GnuTLS, but not for ours. > > > > > > > > > > > > > Would it be an idea to propose the patches, or the idea, for supporting > > the SSL_* variables to the GnuTLS developers? > > Sure, please feel free to discuss it with them. I submitted a feature request here: https://gitlab.com/gnutls/gnutls/-/issues/1279 > > Or is there a more fundamental reason why GnuTLS does not support > > changing certificate stores at run-time? > > I don't know.  It's been many years since I looked at this. > Well, thank you for having looked at it in the past. :) Hopefully we will find out more by means of the feature request I submitted. Kind regards, Roel Janssen