From: Mark H Weaver <mhw@netris.org>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Sun, 15 Feb 2015 00:17:59 -0500 [thread overview]
Message-ID: <87wq3jah2w.fsf@netris.org> (raw)
In-Reply-To: <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> (Andreas Enge's message of "Wed, 4 Feb 2015 13:36:52 +0100")
Andreas Enge <andreas@enge.fr> writes:
> On Mon, Feb 02, 2015 at 06:11:02PM -0500, Mark H Weaver wrote:
>> + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt")))
>
> I would suggest to use --with-default-trust-store-dir=/etc/ssl/certs instead.
> The option is available in gnutls-3.3.12, which I am building in the
> wip-gnutls branch right now, and which looks good to push.
>
> This would allow us to provide not only a single file, but to potentially
> merge different trust stores. We could also, for instance, prepare a package
> per certification authority, so that the user could install exactly the
> ones he trusts.
It turns out there's a problem with our lack of a single-file
certificate bundle. Curl has two options to specifying the location of
the trust store: CURLOPT_CAINFO names a single file, and CURLOPT_CAPATH
names a directory. Unfortunately, although CURLOPT_CAINFO is supported
on both GnuTLS and OpenSSL, CURLOPT_CAPATH is only supported on OpenSSL.
Git uses Curl to fetch from https URLs. Git supports both
GIT_SSL_CAINFO and GIT_SSL_CAPATH environment variables, and pass those
on to CURLOPT_CAINFO and CURLOPT_CAPATH.
I've set GIT_SSL_CAINFO in my environment for a long time to make Git
check certificates properly on GuixSD, but without the single-file
certificate bundle, I've lost certificate checking in Git.
I see a few ways forward:
(1) Curl's GnuTLS backend could grow support for CURLOPT_CAPATH.
(2) We could create single-file certificate bundles in our certificate
packages and add support to our profile builder to merge them
together properly.
(3) We could build Curl with OpenSSL for now.
Option (1) seems best, if someone wants to volunteer for that job very
soon. In the meantime, I like option (2).
What do you think?
Mark
next prev parent reply other threads:[~2015-02-15 5:18 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-02 23:11 [PATCH] gnu: gnutls: Configure location of system-wide trust store Mark H Weaver
2015-02-03 0:01 ` David Thompson
2015-02-03 20:53 ` Ludovic Courtès
2015-02-03 20:57 ` Marek Benc
2015-02-04 12:36 ` Andreas Enge
2015-02-04 12:42 ` Andreas Enge
2015-02-04 15:35 ` Mark H Weaver
2015-02-05 9:59 ` Andreas Enge
2015-02-08 13:36 ` Andreas Enge
2015-02-08 14:29 ` Andreas Enge
2015-02-08 15:24 ` Andreas Enge
2015-02-08 15:59 ` Mark H Weaver
2015-02-15 5:17 ` Mark H Weaver [this message]
2015-02-15 9:16 ` Andreas Enge
2015-02-15 16:59 ` Mark H Weaver
2015-02-23 21:34 ` Ludovic Courtès
2015-02-24 20:31 ` Mark H Weaver
2015-02-25 0:25 ` Andreas Enge
2015-03-02 22:12 ` /etc/ssl/certs and the certificate bundle Ludovic Courtès
2015-03-03 2:25 ` Mark H Weaver
2015-03-03 7:29 ` [PATCHES] profiles: Produce a single-file CA " Mark H Weaver
2015-03-03 8:27 ` Mark H Weaver
2015-03-03 12:23 ` Andreas Enge
2015-03-03 12:32 ` Ludovic Courtès
2015-03-03 19:33 ` Mark H Weaver
2015-03-03 20:04 ` Ludovic Courtès
2015-03-03 12:43 ` Ludovic Courtès
2015-03-03 12:55 ` Andreas Enge
2015-03-03 20:27 ` Ludovic Courtès
-- strict thread matches above, loose matches on Subject: below --
2014-02-19 2:47 [PATCH] gnu: gnutls: Configure location of system-wide trust store Mark H Weaver
2014-02-19 9:26 ` Andreas Enge
2014-02-19 10:13 ` Mark H Weaver
2014-02-19 12:13 ` Andreas Enge
2014-02-19 13:40 ` Ludovic Courtès
2014-02-19 14:08 ` Andreas Enge
2014-02-19 14:37 ` Sree Harsha Totakura
2014-02-19 21:52 ` Ludovic Courtès
2014-02-20 19:39 ` Andreas Enge
2014-02-20 22:08 ` Ludovic Courtès
2014-02-20 18:01 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wq3jah2w.fsf@netris.org \
--to=mhw@netris.org \
--cc=andreas@enge.fr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.