GNU bug report logs - #46779
GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Maxim Cournoyer <maxim.cournoyer@HIDDEN>; dated Thu, 25 Feb 2021 20:04:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 46779 <at> debbugs.gnu.org:


Received: (at 46779) by debbugs.gnu.org; 1 Mar 2021 09:55:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 01 04:55:04 2021
Received: from localhost ([127.0.0.1]:48138 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lGfGa-0004RA-2l
	for submit <at> debbugs.gnu.org; Mon, 01 Mar 2021 04:55:04 -0500
Received: from eggs.gnu.org ([209.51.188.92]:45792)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1lGfGY-0004Qe-M2
 for 46779 <at> debbugs.gnu.org; Mon, 01 Mar 2021 04:55:03 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:41937)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1lGfGT-0002Op-DZ; Mon, 01 Mar 2021 04:54:57 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50280 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1lGfGS-00027Z-Ua; Mon, 01 Mar 2021 04:54:57 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
 for TLS certificates
References: <87im6f9aq2.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 11 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 01 Mar 2021 10:54:55 +0100
In-Reply-To: <87im6f9aq2.fsf@HIDDEN> (Maxim Cournoyer's message of "Thu, 25
 Feb 2021 15:03:01 -0500")
Message-ID: <87y2f7td00.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46779
Cc: 46779 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi,

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> We should patch GnuTLS so that it also honors the SSL_* environment
> variables documented in the Guix manual.

Note that (1) the SSL_* variables are originally from OpenSSL, and (2)
GnuTLS developers made the conscious decision to not honor any
environment variable, leaving it up to application developers to do
that.

That=E2=80=99s the reason we are in this situation.  See the thread at
<https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html>.

Now, I agree it=E2=80=99s inconvenient for those applications that don=E2=
=80=99t do
anything.  Perhaps we should check if it=E2=80=99s reasonable to report it
upstream when we encounter such issues, or if there=E2=80=99s just too many=
 of
them?

Thanks,
Ludo=E2=80=99.
Information forwarded to bug-guix@HIDDEN:
bug#46779; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 25 Feb 2021 20:03:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 25 15:03:17 2021
Received: from localhost ([127.0.0.1]:39422 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lFMqy-0005Hq-7S
	for submit <at> debbugs.gnu.org; Thu, 25 Feb 2021 15:03:17 -0500
Received: from lists.gnu.org ([209.51.188.17]:47622)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1lFMqt-0005Hf-JY
 for submit <at> debbugs.gnu.org; Thu, 25 Feb 2021 15:03:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39002)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1lFMqr-0006l9-Ep
 for bug-guix@HIDDEN; Thu, 25 Feb 2021 15:03:11 -0500
Received: from mail-qv1-xf34.google.com ([2607:f8b0:4864:20::f34]:41330)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1lFMqm-0003Ww-Kl
 for bug-guix@HIDDEN; Thu, 25 Feb 2021 15:03:09 -0500
Received: by mail-qv1-xf34.google.com with SMTP id t1so2399454qvj.8
 for <bug-guix@HIDDEN>; Thu, 25 Feb 2021 12:03:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:mime-version;
 bh=o4cLOgSeiiQvFPzwCgDtA6ua743sv22x9+SRjzHfEX4=;
 b=XZSmZDNUR2PJrC9wXFo6HhFk413WzW8mgdshWsLGB8H/ZDWGYQe2jCYP1cc2tTQeGP
 7wctLgiCkyyUMzifvS9KbX/vg48ofTbVzzLvuUPuloNzhW/DYo4/1AUVWFNXLQ7yNqbg
 05nGbOKkr2sE4t3KpqNYMZsvMZRVPgwuMRctpF71rri+Kayt7F//v8gzuIUrmXFJ0uJe
 FeScd64zsBkyFluTJTsJ19sSSP1Shu/xgtKCyBJEmAsDSTsbggv9R0WwytRLghAy/nP2
 aA4YWUHYUo5TRbbEmtdLABrQ/PNSpRQgm6RiQPjH8EppB5YSxQQ7csXi9Ros4+9gCNNx
 Atig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version;
 bh=o4cLOgSeiiQvFPzwCgDtA6ua743sv22x9+SRjzHfEX4=;
 b=Ak8FWKUNcBK1ZNmRSjQ3A6gZDjXDB5By1qOhnNWokh2ORaKuMi6RQz8lVWwkOgSB8z
 pDFzxDUFzdgM+wV05Ocmvt1Zp2pRzVOMPXkjuzNM6HdXY2740IqA2FeVF13dx7h8ZDsT
 mm535WTQJrUNxknA36xWLK4LTq0cjTWN0i0lHGTECkbjnOMaq8TGXTmopj8ZdWx6P1Q1
 X0STKMPoSP4paDzQLtnCDEM+aaDClNBdmrTOmBKNbmsb1jJQwzFrcouosC8W42opjZZ6
 +6fbuBuFCVpJ+zyrbhWtnIUp1ejqNYpnQcs094n/3X9MfcT5m/52zpRaR18pzwu7PXV4
 7v2w==
X-Gm-Message-State: AOAM532ULbhs1K8rJVJktrltMzbJYhWGagXvAsTOcCtIixIEwIMNMlDk
 WejqkfjlGEUq5AHNdgRbYFoT2b41lPjTaw==
X-Google-Smtp-Source: ABdhPJwqOdqC4mKqvFKu8p6UlxmvLSO8/iNwhOS47GyiElfKjF/7/D7+kiVBPXrP8HaEHYyq+r2RXA==
X-Received: by 2002:a05:6214:118d:: with SMTP id
 t13mr4442062qvv.33.1614283383129; 
 Thu, 25 Feb 2021 12:03:03 -0800 (PST)
Received: from hurd (dsl-10-130-102.b2b2c.ca. [72.10.130.102])
 by smtp.gmail.com with ESMTPSA id q204sm4786276qka.84.2021.02.25.12.03.02
 for <bug-guix@HIDDEN>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 25 Feb 2021 12:03:02 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: bug-guix <bug-guix@HIDDEN>
Subject: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS
 certificates
Date: Thu, 25 Feb 2021 15:03:01 -0500
Message-ID: <87im6f9aq2.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2607:f8b0:4864:20::f34;
 envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qv1-xf34.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hello,

Consider this:

$ guix environment --container --network -E SSL --expose=$SSL_CERT_FILE
--expose=$SSL_CERT_DIR --ad-hoc wget -- wget https://gnu.org

It works on a Guix System, but fails on a foreign distribution, even in
a profile where nss-certs were installed and with the above SSL
environment value properly set.

This is because GnuTLS, which wget uses, looks up the certificates under
the /etc/ssl/certs hard-coded location.  On Guix System, the
SSL_CERT_FILE is set to /etc/ssl/certs/ca-certificates.crt, which
explains why it works there.

We should patch GnuTLS so that it also honors the SSL_* environment
variables documented in the Guix manual.

Maxim
Acknowledgement sent to Maxim Cournoyer <maxim.cournoyer@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#46779; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 1 Mar 2021 10:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.