From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Roel Janssen <roel@gnu.org>
Cc: "Mark H Weaver" <mhw@netris.org>,
"Ludovic Courtès" <ludo@gnu.org>,
46779@debbugs.gnu.org
Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
Date: Mon, 11 Nov 2024 00:17:06 +0900 [thread overview]
Message-ID: <87pln3azkd.fsf@gmail.com> (raw)
In-Reply-To: <02120ab2080916fba3d6ff6b6909e4d478739b10.camel@gnu.org> (Roel Janssen's message of "Mon, 11 Oct 2021 12:59:24 +0200")
Hi,
I was looking at what Nix does, and they carry this patch, under
pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch:
--8<---------------cut here---------------start------------->8---
allow overriding system trust store location via $NIX_SSL_CERT_FILE
--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -404,6 +404,10 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
unsigned int tl_flags,
unsigned int tl_vflags)
{
- return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES,
- tl_vflags);
+ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
+ const char *file = secure_getenv("NIX_SSL_CERT_FILE");
+ return file
+ ? gnutls_x509_trust_list_add_trust_file(
+ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
+ : add_system_trust(list, tl_flags, tl_vflags);
}
--8<---------------cut here---------------end--------------->8---
I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the
above patch and add the $SSL_CERT_FILE search path to bring us closer to
what OpenSSL supports?
I got interested in this problem again as the glib-networking now expect
a valid trust store to exist, and fails half its test suite without it
(and gnutls expecting a fixed location, I can't (easily?) fix this in
the build environment).
--
Thanks,
Maxim
next prev parent reply other threads:[~2024-11-10 15:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 20:03 bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates Maxim Cournoyer
2021-03-01 9:54 ` Ludovic Courtès
2021-03-19 23:13 ` Mark H Weaver
2021-10-07 10:28 ` Roel Janssen
2021-10-08 19:00 ` Mark H Weaver
2021-10-11 10:59 ` Roel Janssen
2024-11-10 15:17 ` Maxim Cournoyer [this message]
2024-11-20 10:45 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pln3azkd.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=46779@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=mhw@netris.org \
--cc=roel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.