From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Wed, 19 Feb 2014 05:13:26 -0500 Message-ID: <87sirf8l6h.fsf@netris.org> References: <87ppmjn7ih.fsf@netris.org> <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41310) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WG4Ai-0007vZ-7H for guix-devel@gnu.org; Wed, 19 Feb 2014 05:14:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WG4Ac-0007H6-2s for guix-devel@gnu.org; Wed, 19 Feb 2014 05:14:32 -0500 Received: from world.peace.net ([96.39.62.75]:42031) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WG4Ab-0007Ff-Uk for guix-devel@gnu.org; Wed, 19 Feb 2014 05:14:26 -0500 In-Reply-To: <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> (Andreas Enge's message of "Wed, 19 Feb 2014 10:26:44 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org Hi Andreas, Andreas Enge writes: > On Tue, Feb 18, 2014 at 09:47:18PM -0500, Mark H Weaver wrote: >> This patch is needed to allow gnutls to find the system-wide trust store >> (trusted CA certificates). > >> + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"))) > > As there is no system, and we advertise per user configuration, should this > not rather be $HOME/.guix-profile/etc/...? Which probably does not work > as it would be needed to be "resolved" at execution time. Is there any way > of telling gnutls to use an environment variable? I'm very sympathetic to your point of view. I agree that each user should be able to decide which CA certificates to trust. However, GnuTLS does not support an environment variable setting, so we would have to patch the code (add_system_trust in lib/system.c). I strongly considered doing this, but I'm worried about the possible security implications. For example, consider a setuid program that uses GnuTLS and assumes that the person who ran the program will not be capable of changing the trust store that GnuTLS uses. This assumption would be correct for the upstream GnuTLS, but not for ours. Here's the thing: GnuTLS does not trust the system store by default. The program has to call 'gnutls_certificate_set_x509_system_trust' to use the system trust store. Therefore, individual programs can still allow the user to override the system trust store. For example, look at the code for 'wget' (ssl_init in src/gnutls.c). If you put "ca_directory = " in ~/.wgetrc, then wget does not call 'gnutls_certificate_set_x509_system_trust'. Instead, it trusts only the certs in the specified user directory. So, in the end, I don't think we should mess around with the way GnuTLS was designed. I think we should provide a hard-coded system-wide location to allow 'gnutls_certificate_set_x509_system_trust' to work as it was intended, and instead we should make sure that each individual program has a way to override that. What do you think? Regards, Mark