From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: /etc/ssl/certs and the certificate bundle Date: Mon, 02 Mar 2015 21:25:24 -0500 Message-ID: <87fv9mn7fv.fsf@netris.org> References: <87r3u7di49.fsf@netris.org> <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> <87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian> <87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org> <87sidvhx0t.fsf@netris.org> <87zj7v2gmf.fsf_-_@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54991) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YScWH-0005MK-7g for guix-devel@gnu.org; Mon, 02 Mar 2015 21:25:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YScWD-0003ZE-5p for guix-devel@gnu.org; Mon, 02 Mar 2015 21:25:13 -0500 In-Reply-To: <87zj7v2gmf.fsf_-_@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\?\= \=\?utf-8\?Q\?\=22's\?\= message of "Mon, 02 Mar 2015 23:12:40 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Mark H Weaver skribis: > >> The single-file bundle is just a concatenation of all the individual PEM >> data, starting with "-----BEGIN CERTIFICATE-----" and ending with >> "-----END CERTIFICATE-----", including those delimiters. >> >> The only caveat is that the individual PEM files are not required to >> have a newline after the "-----END CERTIFICATE-----", but in the >> single-file cert bundle, we must ensure that the newline is present. >> See . > > OK, I=E2=80=99ve implemented this for GuixSD in commit 993300f. Thanks t= o you > and Andreas for your help. Thank you! >> In order to support multiple packages containing CA certs, it would be >> good to handle creation of the single-file cert bundle in the profile >> generation code, analogous to our handling of info "dir" files. This >> would allow us to create additional cert packages (e.g. one for >> CAcert.org). >> >> I think it belongs in the profile generation code for the benefit of >> users running Guix packages on top of another distro, where they might >> not have root access. They can simply set GIT_SSL_CAINFO and >> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt >> >> What do you think? > > It=E2=80=99s a good but as of yet unimplemented idea. > > Although I now realize we could perhaps simple move the > =E2=80=98certificate-bundle=E2=80=99 procedure to (guix profile), add the= certificate > package to the system profile, and make /etc/ssl a symlink to > /run/current-system/profile/etc/ssl. I think this would be ideal. > However there=E2=80=99s the complication that all the files of =E2=80=98n= ss-certs=E2=80=99 would > still be there in addition to the bundle. Hmm. That's a feature, not a bug. It is more efficient to look up the individual files by their hash-named symlinks than to read the entire certificate bundle as one file. The only problem is that some combinations of software don't yet support this mode. For example, libcurl (used by git) only supports the single-file when it is linked with GnuTLS. When linked with OpenSSL it supports both modes. (This is a limitation of libcurl's backend for GnuTLS, not an inherent problem with GnuTLS.) Thanks, Mark