From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id kH9gEt/BIGR8aAAASxT56A (envelope-from ) for ; Mon, 27 Mar 2023 00:06:23 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id MJ23Ed/BIGQcCQEAG6o9tA (envelope-from ) for ; Mon, 27 Mar 2023 00:06:23 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 55724459CB for ; Mon, 27 Mar 2023 00:06:22 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=kb8ojh.net header.s=cathode header.b=cIYFQEnJ; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1679868383; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=CJBHjVxyLzX/HO9B+Uhif30BJe8v7NBa7Nf2rL6Sc2Q=; b=lSGylHY9CS+wBgFpDBYqe4mvoRzTr6KY+Wyl1AcGKajASvCYzBCF7O6EM5yeE/3iHdtlnN ZmVkJsrhPi9LF3MRP8UZ3cKwtgJMTDaUjb4xNDaZ3R348umMWrS2YnONHRgITxjxHs2Xeb QP4uz3wLShv7LaT32YMFW+0cbDj6IQVK5bEXGKduAjuM4OQfqPgpqqNOxYSx5+u3FDtWE/ DFWCSal7YcyaWzlkTxGvHIBaPQ4EWv4VJ78RUT41TnFI+aA9eUrUTsLkdSso+Qui9X3I1h u6sbMo+DT4PC8dqdxvF7P3NT5v1RZjWYOAog6wMJQZ3hRpZd1ZyUdoTtmK72vQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679868383; a=rsa-sha256; cv=none; b=RZpmVIdnfzgbd90eaepIzDmb2xhrXJo9z2ZnVsPMeAOpmpIjPokHezeXsy7xEjUNqQ/1bE teZrJ3GELwRDlxBY85olG+adK+jny+w8NJ7LINpfTWmXOuAHgMsXyVgxn46PRR5LClZm9D Ef+uGbiJ7oPtQSA6uFL6nEHy14y4iGA3RH5l1TeNNppt9PecbwrKwe0/M8gi+1SOZ2qBme 7E45XLzIAj6v7O1z310BUz0ZReMZkTG961q8YU3oBl0QGly4Fh6bsvjqMv22ce9OLGNktA Lzm2zpD7fH4I+JGq2au8r4usIt/FqalkSFa67agaj6xqhG+P3wqdXNIu9G0w8g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=kb8ojh.net header.s=cathode header.b=cIYFQEnJ; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pgYV4-000896-Py; Sun, 26 Mar 2023 18:06:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgYV1-00088Z-Ld for bug-guix@gnu.org; Sun, 26 Mar 2023 18:06:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pgYV1-0005PN-DU for bug-guix@gnu.org; Sun, 26 Mar 2023 18:06:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pgYV1-0000Lt-3P for bug-guix@gnu.org; Sun, 26 Mar 2023 18:06:03 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#61557: vdirsyncer fails to verify certificates References: In-Reply-To: Resent-From: Ethan Blanton Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 26 Mar 2023 22:06:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61557 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 61557@debbugs.gnu.org Received: via spool by 61557-submit@debbugs.gnu.org id=B61557.16798683271256 (code B ref 61557); Sun, 26 Mar 2023 22:06:03 +0000 Received: (at 61557) by debbugs.gnu.org; 26 Mar 2023 22:05:27 +0000 Received: from localhost ([127.0.0.1]:46036 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgYUQ-0000KC-IN for submit@debbugs.gnu.org; Sun, 26 Mar 2023 18:05:26 -0400 Received: from cathode.kb8ojh.net ([162.243.72.198]:36424) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgYUO-0000K4-Q5 for 61557@debbugs.gnu.org; Sun, 26 Mar 2023 18:05:25 -0400 Received: from anode.kb8ojh.net (pool-68-133-30-163.bflony.fios.verizon.net [68.133.30.163]) by cathode.kb8ojh.net (Postfix) with ESMTPSA id CD7D94040B for <61557@debbugs.gnu.org>; Sun, 26 Mar 2023 22:05:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kb8ojh.net; s=cathode; t=1679868323; bh=DvKaJUqkDAmWw41ipL3xjemwgeWqAW2ZaQtWaaV53ww=; h=Date:From:To:Subject:From; b=cIYFQEnJkrPkU0/rAiIwcAiUP6XFdBfDvRvQo9FDMZuf5o/JXx4xwC5rmcYSc59ua n3erTWV+i90ytfs7hN7M9JtHNsdUYk1SZyvsFV0lt8iQrCxHoF9sOE/uf63IFYyROd 3J+mUVcCfiEJYuVQJ19g478xU5T2tG8FEqhYgDu4= Received: by anode.kb8ojh.net (Postfix, from userid 1000) id 56D61418AA; Sun, 26 Mar 2023 18:05:25 -0400 (EDT) Date: Sun, 26 Mar 2023 18:05:25 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GnuPG-Fingerprint: 2A9A 7752 8B91 6586 6289 FD3D 6CA9 2AC6 A1A8 AD0E X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Migadu-Queue-Id: 55724459CB X-Spam-Score: -3.33 X-Migadu-Spam-Score: -3.33 X-Migadu-Scanner: scn0.migadu.com Reply-to: Ethan Blanton From: Ethan Blanton via Bug reports for GNU Guix Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-TUID: Ig0QuWtN/wHK (Pardon the delay, for some reason I do not get email notifications for this bug.) I had read the X.509 Certificates section of the manual, but since my certificates ARE in the default location of /etc/ssl/certs, and vdirsyncer had previously worked, for some reason I did not dig into it deeply enough, or perhaps I attempted to set it up wrongly at some point in the past. Setting SSL_CERT_DIR=/etc/ssl/certs in my environment fixes the vdirsyncer package, and it syncs correctly. I have also discovered that python aiohttp will correctly verify certificates WITHOUT this environment variable with: guix shell -P -C -N python python-aiohttp nss-certs openssl Leaving out EITHER nss-certs OR openssl causes aiohttp to exhibit the same behavior as vdirsyncer. However, including both of these packages in the same (foreign distro) profile that includes vdirsyncer does NOT cause vdirsyncer to correctly verify certificates. I am not sure what this means for this bug; certainly the change from "working without extra configuration" to "broken without extra configuration" is a regression in user experience, but it may be that it is working as intended. It seems to me that the principle of least astonishment for foreign distro users would suggest that python aiohttp defaults to loading /etc/ssl/certs from the foreign distro, if present.