GNU bug report logs - #46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

Previous Next

Full log

Message #31 received at 46779-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Mark H Weaver <mhw <at> netris.org>, 46779-done <at> debbugs.gnu.org,
 Roel Janssen <roel <at> gnu.org>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
 for TLS certificates
Date: Wed, 06 Aug 2025 14:05:43 +0900

Hello,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello,
>
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the
>> above patch and add the $SSL_CERT_FILE search path to bring us closer to
>> what OpenSSL supports?
>
> As a rule of thumb, I would avoid diverging from upstream, especially
> for touchy points like this one: it quickly gets problematic when a
> same-named package behaves differently across distros.
>
> In this case, because GnuTLS does not honor any environment variables,
> applications/libraries linked against it have to provide their own
> mechanism for users to specify the certificate search path.  Normally,
> they already do that.

I'm closing this; GnuTLS now uses p11-kit with a default trust store
that includes the nss-certs certificates on the gnome-team branch, which
will should soon be in a state to be merged to master.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.