GNU bug report logs - #46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: bug#46779: closed (Re: bug#46779: GnuTLS uses the hard-coded
 /etc/ssl/certs location for TLS certificates)
Date: Wed, 06 Aug 2025 05:06:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 46779 <at> debbugs.gnu.org.

-- 
46779: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46779
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Mark H Weaver <mhw <at> netris.org>, 46779-done <at> debbugs.gnu.org,
 Roel Janssen <roel <at> gnu.org>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
 for TLS certificates
Date: Wed, 06 Aug 2025 14:05:43 +0900

Hello,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello,
>
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the
>> above patch and add the $SSL_CERT_FILE search path to bring us closer to
>> what OpenSSL supports?
>
> As a rule of thumb, I would avoid diverging from upstream, especially
> for touchy points like this one: it quickly gets problematic when a
> same-named package behaves differently across distros.
>
> In this case, because GnuTLS does not honor any environment variables,
> applications/libraries linked against it have to provide their own
> mechanism for users to specify the certificate search path.  Normally,
> they already do that.

I'm closing this; GnuTLS now uses p11-kit with a default trust store
that includes the nss-certs certificates on the gnome-team branch, which
will should soon be in a state to be merged to master.

-- 
Thanks,
Maxim

[Message part 3 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <bug-guix <at> gnu.org>
Subject: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS
 certificates
Date: Thu, 25 Feb 2021 15:03:01 -0500

Hello,

Consider this:

$ guix environment --container --network -E SSL --expose=$SSL_CERT_FILE
--expose=$SSL_CERT_DIR --ad-hoc wget -- wget https://gnu.org

It works on a Guix System, but fails on a foreign distribution, even in
a profile where nss-certs were installed and with the above SSL
environment value properly set.

This is because GnuTLS, which wget uses, looks up the certificates under
the /etc/ssl/certs hard-coded location.  On Guix System, the
SSL_CERT_FILE is set to /etc/ssl/certs/ca-certificates.crt, which
explains why it works there.

We should patch GnuTLS so that it also honors the SSL_* environment
variables documented in the Guix manual.

Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.