GNU bug report logs - #46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#46779: closed (GnuTLS uses the hard-coded /etc/ssl/certs
 location for TLS certificates)
Date: Wed, 06 Aug 2025 05:06:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Wed, 06 Aug 2025 14:05:43 +0900
with message-id <87tt2lvy3c.fsf <at> guixotic.coop>
and subject line Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
has caused the debbugs.gnu.org bug report #46779,
regarding GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
46779: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46779
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <bug-guix <at> gnu.org>
Subject: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS
 certificates
Date: Thu, 25 Feb 2021 15:03:01 -0500

Hello,

Consider this:

$ guix environment --container --network -E SSL --expose=$SSL_CERT_FILE
--expose=$SSL_CERT_DIR --ad-hoc wget -- wget https://gnu.org

It works on a Guix System, but fails on a foreign distribution, even in
a profile where nss-certs were installed and with the above SSL
environment value properly set.

This is because GnuTLS, which wget uses, looks up the certificates under
the /etc/ssl/certs hard-coded location.  On Guix System, the
SSL_CERT_FILE is set to /etc/ssl/certs/ca-certificates.crt, which
explains why it works there.

We should patch GnuTLS so that it also honors the SSL_* environment
variables documented in the Guix manual.

Maxim

[Message part 3 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Mark H Weaver <mhw <at> netris.org>, 46779-done <at> debbugs.gnu.org,
 Roel Janssen <roel <at> gnu.org>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
 for TLS certificates
Date: Wed, 06 Aug 2025 14:05:43 +0900

Hello,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello,
>
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the
>> above patch and add the $SSL_CERT_FILE search path to bring us closer to
>> what OpenSSL supports?
>
> As a rule of thumb, I would avoid diverging from upstream, especially
> for touchy points like this one: it quickly gets problematic when a
> same-named package behaves differently across distros.
>
> In this case, because GnuTLS does not honor any environment variables,
> applications/libraries linked against it have to provide their own
> mechanism for users to specify the certificate search path.  Normally,
> they already do that.

I'm closing this; GnuTLS now uses p11-kit with a default trust store
that includes the nss-certs certificates on the gnome-team branch, which
will should soon be in a state to be merged to master.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.