From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ELSEL/nLXmG+JwEAgWs5BA (envelope-from ) for ; Thu, 07 Oct 2021 12:29:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id GJNHK/nLXmGUdAAAB5/wlQ (envelope-from ) for ; Thu, 07 Oct 2021 10:29:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3EF362E0C2 for ; Thu, 7 Oct 2021 12:29:12 +0200 (CEST) Received: from localhost ([::1]:60802 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mYQeE-00083R-5R for larch@yhetil.org; Thu, 07 Oct 2021 06:29:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mYQe6-00083G-0g for bug-guix@gnu.org; Thu, 07 Oct 2021 06:29:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:34589) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mYQe5-00047c-PX for bug-guix@gnu.org; Thu, 07 Oct 2021 06:29:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mYQe5-0003ZG-Ig for bug-guix@gnu.org; Thu, 07 Oct 2021 06:29:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates Resent-From: Roel Janssen Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 07 Oct 2021 10:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46779 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 46779-submit@debbugs.gnu.org id=B46779.163360249613658 (code B ref 46779); Thu, 07 Oct 2021 10:29:01 +0000 Received: (at 46779) by debbugs.gnu.org; 7 Oct 2021 10:28:16 +0000 Received: from localhost ([127.0.0.1]:46135 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mYQdM-0003Y7-1k for submit@debbugs.gnu.org; Thu, 07 Oct 2021 06:28:16 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45746) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mYQdK-0003Xu-22 for 46779@debbugs.gnu.org; Thu, 07 Oct 2021 06:28:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59238) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mYQdE-0003M5-EN; Thu, 07 Oct 2021 06:28:08 -0400 Received: from 2001-1c02-0b16-3700-3718-3a46-b1ae-ba54.cable.dynamic.v6.ziggo.nl ([2001:1c02:b16:3700:3718:3a46:b1ae:ba54]:37514) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mYQdE-0006LO-5B; Thu, 07 Oct 2021 06:28:08 -0400 Message-ID: From: Roel Janssen Date: Thu, 07 Oct 2021 12:28:04 +0200 In-Reply-To: <87o8fen3d0.fsf@netris.org> References: <87im6f9aq2.fsf@gmail.com> <87y2f7td00.fsf@gnu.org> <87o8fen3d0.fsf@netris.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 (3.40.4-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46779@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633602552; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=W20BFMCa1dNwog0aK7QIlXic5twk/vHxtHdJ8Uyrr3U=; b=aIW2tnig+CJyFHW4PIHOFXGi3a2xUk/4edU7AOoIi+9FTd0ZWoBNe0Tt0LhQ2EpV2mnJti get3KcANNa2MUBmBIzJvbvlSnV0zWBDEOcNNYGGbXPtMlSbg/g1vYrXyPsgZdXlessidmB 1DbW92K1IwOXizZ2u/niLq+sL8XdXX5r3YLHQ0yWRU4Yd5I3tYP9nXodwI71dB0ZWx2EwU fXcHFQDMQBTb+039CzZ5xO4z3eQbjPgPZSZXr2ckceG/KJA1zvRv+W/AQCPSQ3V9dYDKGJ +Z+wxKqFl6fBUf7tQu9sMx1EjIj4MtdYe22SqAQN3bLaktn237WvGMpUUi7e2A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633602552; a=rsa-sha256; cv=none; b=sUt44Z4qt6UVvl+zfhVOsxo6BJju1LxAo0eHB2BzTetekWkyE1sOk2SStURVzkmFCecG7M YtezskAf3KuFahujEj3VQcn7O0oj/WTMCMK7ARYWYl0ht9fZt8IAw5MnBdGPtVZBAXSJT9 JgKzdKjxDwhvuRloHrOxzkKY+u1DJgIIGfoM2/kIpSsAAqyOWct4pTkH2duv38sNrejoDN s+9TUPoBBHtG0WMWtTmd22kcDnXdpStKjvzGIGqSxFLGXJSNRvgm26z3ttVjqeSn/p/AUi kzLU5alXSaMYY5ceu7cg3/ytKllMTt6o3IpsYTDFu2mbaC8y9Bfmia1Eho8yKg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 0.08 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 3EF362E0C2 X-Spam-Score: 0.08 X-Migadu-Scanner: scn0.migadu.com X-TUID: +SM33XAskt27 On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote: > Ludovic Courtès writes: > > > Maxim Cournoyer skribis: > > > > > We should patch GnuTLS so that it also honors the SSL_* > > > environment > > > variables documented in the Guix manual. > > > > Note that (1) the SSL_* variables are originally from OpenSSL, and > > (2) > > GnuTLS developers made the conscious decision to not honor any > > environment variable, leaving it up to application developers to do > > that. > > > > That’s the reason we are in this situation.  See the thread at > > < > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html > > >. > > That thread is worth reading, but for those who are short on time, I > want to call attention to a specific point I made: > >   However, GnuTLS does not support an environment variable setting, > so we >   would have to patch the code (add_system_trust in lib/system.c).  I >   strongly considered doing this, but I'm worried about the possible >   security implications.  For example, consider a setuid program that > uses >   GnuTLS and assumes that the person who ran the program will not be >   capable of changing the trust store that GnuTLS uses.  This > assumption >   would be correct for the upstream GnuTLS, but not for ours. > > > Would it be an idea to propose the patches, or the idea, for supporting the SSL_* variables to the GnuTLS developers? Or is there a more fundamental reason why GnuTLS does not support changing certificate stores at run-time? Perhaps I have missed a solution that has already made it in Guix. If that is the case, I would like to know about it. :) Kind regards, Roel Janssen