GNU bug report logs - #46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

Previous Next

Package: guix;

Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Date: Thu, 25 Feb 2021 20:04:01 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Mark H Weaver <mhw <at> netris.org>
To: Roel Janssen <roel <at> gnu.org>, Ludovic Courtès <ludo <at> gnu.org>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 46779 <at> debbugs.gnu.org
Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
Date: Fri, 08 Oct 2021 15:00:33 -0400

Roel Janssen <roel <at> gnu.org> writes:

> On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote:
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>> 
>> > Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>> > 
>> > > We should patch GnuTLS so that it also honors the SSL_*
>> > > environment
>> > > variables documented in the Guix manual.
>> > 
>> > Note that (1) the SSL_* variables are originally from OpenSSL, and
>> > (2)
>> > GnuTLS developers made the conscious decision to not honor any
>> > environment variable, leaving it up to application developers to do
>> > that.
>> > 
>> > That’s the reason we are in this situation.  See the thread at
>> > <
>> > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html
>> > >.
>> 
>> That thread is worth reading, but for those who are short on time, I
>> want to call attention to a specific point I made:
>> 
>>   However, GnuTLS does not support an environment variable setting,
>> so we
>>   would have to patch the code (add_system_trust in lib/system.c).  I
>>   strongly considered doing this, but I'm worried about the possible
>>   security implications.  For example, consider a setuid program that
>> uses
>>   GnuTLS and assumes that the person who ran the program will not be
>>   capable of changing the trust store that GnuTLS uses.  This
>> assumption
>>   would be correct for the upstream GnuTLS, but not for ours.
>> 
>> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
>> 
>
> Would it be an idea to propose the patches, or the idea, for supporting
> the SSL_* variables to the GnuTLS developers?

Sure, please feel free to discuss it with them.

> Or is there a more fundamental reason why GnuTLS does not support
> changing certificate stores at run-time?

I don't know.  It's been many years since I looked at this.

     Thanks,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.
This bug report was last modified 205 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.