GNU bug report logs -
#70314
[PATCH] guix: scripts: environment: add tls certs to networked containers
Previous Next
Full log
Message #35 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi,
Richard Sent <richard <at> freakingpenguin.com> writes:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
> behavior.
> * doc/guix.texi: Document it.
I just wanted to share that I have a WIP in progress that would address
this differently; by using p11-kit with a trusted path to nss certs by
default:
--8<---------------cut here---------------start------------->8---
gnu: p11-kit: Add nss-certs to default trust path.
* gnu/packages/tls.scm (p11-kit) [native-inputs]: Add nss-certs.
[arguments] <#:configure-flags>: Register its etc/ssl/certs directory as a
trust path.
Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39
1 file changed, 5 insertions(+), 2 deletions(-)
gnu/packages/tls.scm | 7 +++++--
modified gnu/packages/tls.scm
@@ -61,6 +61,7 @@ (define-module (gnu packages tls)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages build-tools)
+ #:use-module (gnu packages certs)
#:use-module (gnu packages check)
#:use-module (gnu packages curl)
#:use-module (gnu packages dns)
@@ -160,6 +161,7 @@ (define-public p11-kit
docbook-xsl
gettext-minimal
libxslt
+ nss-certs ;default certs
pkg-config))
(inputs
(append (list libffi libtasn1)
@@ -175,9 +177,10 @@ (define-public p11-kit
(string-append
"-Dtrust_paths="
(string-join
- '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
+ `("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
"/etc/pki/tls/certs/ca-bundle.crt" ;fedora, centos
- "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse
+ "/var/lib/ca-certificates/ca-bundle.pem"
+ ,(search-input-directory %build-inputs "etc/ssl/certs"))
":")))))
(home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
(synopsis "PKCS#11 library")
--8<---------------cut here---------------end--------------->8---
And then building gnutls with the
'--with-default-trust-store-pkcs11=pkcs11:' configure flag. In theory
that would mean that any GnuTLS using application would work out of the
box. p11-kit also allows users to override certs by user configuration
in XDG directories, should someone want to add their own certs or
override the default trust store (to be documented).
In practice I haven't yet rebuilt the world with this, but encountered a
failing test that suggest it doesn't work as expected (but perhaps it's
just the test) [0].
For OpenSSL, there is supposedly a plugin that can be used to make it
use p11-kit managed certs, though I haven't investigated.
The idea to use p11-kit was suggested to us (via Andreas) in 2015 by the
main GnuTLS developper [1]
It's used on Fedora/Red Hat for example [2].
[0] https://gitlab.com/gnutls/gnutls/-/issues/1639
[1] https://lists.gnupg.org/pipermail/gnutls-devel/2015-February/007447.html
[2] https://src.fedoraproject.org/rpms/gnutls/blob/rawhide/f/gnutls.spec#_320
--
Thanks,
Maxim
This bug report was last modified 80 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.