[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS ce
|
From: |
Mark H Weaver |
|
Subject: |
bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates |
|
Date: |
Fri, 08 Oct 2021 15:00:33 -0400 |
Roel Janssen <roel@gnu.org> writes:
> On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote:
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>> > Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>> >
>> > > We should patch GnuTLS so that it also honors the SSL_*
>> > > environment
>> > > variables documented in the Guix manual.
>> >
>> > Note that (1) the SSL_* variables are originally from OpenSSL, and
>> > (2)
>> > GnuTLS developers made the conscious decision to not honor any
>> > environment variable, leaving it up to application developers to do
>> > that.
>> >
>> > That’s the reason we are in this situation. See the thread at
>> > <
>> > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html
>> > >.
>>
>> That thread is worth reading, but for those who are short on time, I
>> want to call attention to a specific point I made:
>>
>> However, GnuTLS does not support an environment variable setting,
>> so we
>> would have to patch the code (add_system_trust in lib/system.c). I
>> strongly considered doing this, but I'm worried about the possible
>> security implications. For example, consider a setuid program that
>> uses
>> GnuTLS and assumes that the person who ran the program will not be
>> capable of changing the trust store that GnuTLS uses. This
>> assumption
>> would be correct for the upstream GnuTLS, but not for ours.
>>
>> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
>>
>
> Would it be an idea to propose the patches, or the idea, for supporting
> the SSL_* variables to the GnuTLS developers?
Sure, please feel free to discuss it with them.
> Or is there a more fundamental reason why GnuTLS does not support
> changing certificate stores at run-time?
I don't know. It's been many years since I looked at this.
Thanks,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.