GNU bug report logs -
#46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
Previous Next
Full log
Message #11 received at 46779 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> We should patch GnuTLS so that it also honors the SSL_* environment
>> variables documented in the Guix manual.
>
> Note that (1) the SSL_* variables are originally from OpenSSL, and (2)
> GnuTLS developers made the conscious decision to not honor any
> environment variable, leaving it up to application developers to do
> that.
>
> That’s the reason we are in this situation. See the thread at
> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html>.
That thread is worth reading, but for those who are short on time, I
want to call attention to a specific point I made:
However, GnuTLS does not support an environment variable setting, so we
would have to patch the code (add_system_trust in lib/system.c). I
strongly considered doing this, but I'm worried about the possible
security implications. For example, consider a setuid program that uses
GnuTLS and assumes that the person who ran the program will not be
capable of changing the trust store that GnuTLS uses. This assumption
would be correct for the upstream GnuTLS, but not for ours.
<https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
Thanks,
Mark
This bug report was last modified 205 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.