GNU bug report logs - #46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

Previous Next

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Roel Janssen <roel <at> gnu.org>
Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, 46779 <at> debbugs.gnu.org
Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
Date: Mon, 11 Nov 2024 00:17:06 +0900

Hi,

I was looking at what Nix does, and they carry this patch, under
pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch:

--8<---------------cut here---------------start------------->8---
allow overriding system trust store location via $NIX_SSL_CERT_FILE

--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -404,6 +404,10 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
 					unsigned int tl_flags,
 					unsigned int tl_vflags)
 {
-	return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES,
-				tl_vflags);
+	tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
+	const char *file = secure_getenv("NIX_SSL_CERT_FILE");
+	return file
+		? gnutls_x509_trust_list_add_trust_file(
+			list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
+		: add_system_trust(list, tl_flags, tl_vflags);
 }
--8<---------------cut here---------------end--------------->8---

I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the
above patch and add the $SSL_CERT_FILE search path to bring us closer to
what OpenSSL supports?

I got interested in this problem again as the glib-networking now expect
a valid trust store to exist, and fails half its test suite without it
(and gnutls expecting a fixed location, I can't (easily?) fix this in
the build environment).

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.