Received: (at 46779) by debbugs.gnu.org; 20 Nov 2024 10:45:29 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 20 05:45:29 2024 Received: from localhost ([127.0.0.1]:45479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1tDiDA-0005K5-PV for submit <at> debbugs.gnu.org; Wed, 20 Nov 2024 05:45:29 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49330) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1tDiD8-0005Jp-1d for 46779 <at> debbugs.gnu.org; Wed, 20 Nov 2024 05:45:26 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1tDiD2-0003L0-L1; Wed, 20 Nov 2024 05:45:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=T4X3oDyQbjXkgL87PECg14VUDajIkDvxrPOpWGluIi8=; b=WFTBo8fnTI1Dt7U8x3Xt G7ElF8As4W+DjqoAMrNO0XcJQMk6noiWfYfry5ntRFxpDBcbEOs5lh9203jfHpPQKNOiJEaWVGq2y X8bQrFCULrxtwqcOg03l7rdtGGJx5q20hhYebY8JktrWmHySewqMwFCCRIBsIPYVpb890PwPCp0EF 1aFsyXY+mkx5kAbZd7KhvpC62ggHjTmH6t6AlqAt+28ZniDsdWx+bTLec0v7mpQEGtgcCWZzHIUGZ /qCsWv35V4DYls+iqE0kPQK0WGMPd6q2Mn/gVG+PlHTPs31zfjxQVWuTShE3RzuCGLTUtqkJlJXtX MI+pVni8xw4/YA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates In-Reply-To: <87pln3azkd.fsf@HIDDEN> (Maxim Cournoyer's message of "Mon, 11 Nov 2024 00:17:06 +0900") References: <87im6f9aq2.fsf@HIDDEN> <87y2f7td00.fsf@HIDDEN> <87o8fen3d0.fsf@HIDDEN> <b17ae2a486ca08c9de8d88127c3bc9df68b03f2b.camel@HIDDEN> <87k0in1gur.fsf@HIDDEN> <02120ab2080916fba3d6ff6b6909e4d478739b10.camel@HIDDEN> <87pln3azkd.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: =?utf-8?Q?D=C3=A9cadi?= 30 Brumaire an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour du Rouleau X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 20 Nov 2024 11:45:15 +0100 Message-ID: <87o72ayyis.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 46779 Cc: Mark H Weaver <mhw@HIDDEN>, 46779 <at> debbugs.gnu.org, Roel Janssen <roel@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hello, Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the > above patch and add the $SSL_CERT_FILE search path to bring us closer to > what OpenSSL supports? As a rule of thumb, I would avoid diverging from upstream, especially for touchy points like this one: it quickly gets problematic when a same-named package behaves differently across distros. In this case, because GnuTLS does not honor any environment variables, applications/libraries linked against it have to provide their own mechanism for users to specify the certificate search path. Normally, they already do that. WDYT? Ludo=E2=80=99.
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.
Received: (at 46779) by debbugs.gnu.org; 10 Nov 2024 15:18:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 10 10:18:21 2024
Received: from localhost ([127.0.0.1]:56310 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tA9hl-0006on-Fe
for submit <at> debbugs.gnu.org; Sun, 10 Nov 2024 10:18:21 -0500
Received: from mail-pl1-f179.google.com ([209.85.214.179]:51697)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maxim.cournoyer@HIDDEN>) id 1tA9hi-0006oY-PS
for 46779 <at> debbugs.gnu.org; Sun, 10 Nov 2024 10:18:19 -0500
Received: by mail-pl1-f179.google.com with SMTP id
d9443c01a7336-210e5369b7dso38365865ad.3
for <46779 <at> debbugs.gnu.org>; Sun, 10 Nov 2024 07:18:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1731251832; x=1731856632; darn=debbugs.gnu.org;
h=mime-version:user-agent:message-id:date:references:in-reply-to
:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=1qu3MkSpehvazY4tAnwaueINFVaElrVPTE2XYRzhNsk=;
b=Tht35DFMM+hE+wGVbUQGNGkmDRwoKTXno3k8Y1cJVqohSg3E8lmOlBo9xOhaGuzCli
059eHHSpB87SnLVM1v/G/gacrigM3kQ6FxIQw9PpYnSXPbTh1HKx6FP1pc5aLJS8I9MA
syXixxMzX6fpc+bg3qBcqGdaCQcxqcLvQlJS1Tmr3+VE2pD3Y+SXub3p1olUG3ufnN/V
xF0uSCJ8z/l/V6Mn+lHlfeHMrkBAD6BYrMiFBWtrDgPNlVGVatNDkPqe5N+Gb/L0Tl31
S7mNfsq5baim/SNUf+JrIkAMLBC605GnGWfunW248zDzMZOaC1wlog1WuDDr1SAOpNgx
WURQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1731251832; x=1731856632;
h=mime-version:user-agent:message-id:date:references:in-reply-to
:subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
:message-id:reply-to;
bh=1qu3MkSpehvazY4tAnwaueINFVaElrVPTE2XYRzhNsk=;
b=SVu1JPKy+Rs3fxDqGaq4XUtSPuhZipf69xy+tVXN5g/9RU8qmqk+D9lOS4i5gzx5Xr
qBD0vjlIlhTuX97wFC7j7rrMqnab6jujabmR2Uhjva9wlLfvnZI4zcNzuNB5OS1xkAN7
ImQFWdQlP1M0RBRa+QJlhYO79Qb/sAtACbEFQOWR2WF08e1/TLoNbiSXjHeGNXFN7fJP
KGLd9eog88UEx4N7XQnwK+ZMC5zeYhuR9C4d1tRfYZCnwG4rekpZzcLuT6NxbH+TTP65
rsMityr13ys6neALBNSZigSbMj+WGHwvSDd9yA8dlQASt/fIgZYADHvjf7jS0SjcjW3q
FKsg==
X-Forwarded-Encrypted: i=1;
AJvYcCX4QX9GXj1gQmx2CsV6gjzEZ1mLtNmxvoh5HcOLp+4OxAcLkf0H730BogprSgVROS3CyH/Qxw==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YwToEVqOnHpRuiv0iYDGp/udMUq6Rfe72kUYCCANWRLg5rY97Ag
/IvoGOgUKeeh1SXichPCT1xHeGz2MP8Tf6kpURGT49Fb5AsFQwieVRtCMA==
X-Google-Smtp-Source: AGHT+IEnBjH4MnlMTIIvDaoJyJW51cHqmRsHIKH3ANJkYVOW7ejXkcGT99+rJ2Tkcn9yNyWFHuuldQ==
X-Received: by 2002:a17:902:ec88:b0:20b:7210:5859 with SMTP id
d9443c01a7336-21183d5553bmr130427685ad.38.1731251832235;
Sun, 10 Nov 2024 07:17:12 -0800 (PST)
Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89])
by smtp.gmail.com with ESMTPSA id
d9443c01a7336-21177e59c3asm60763795ad.194.2024.11.10.07.17.10
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 10 Nov 2024 07:17:11 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Roel Janssen <roel@HIDDEN>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
for TLS certificates
In-Reply-To: <02120ab2080916fba3d6ff6b6909e4d478739b10.camel@HIDDEN> (Roel
Janssen's message of "Mon, 11 Oct 2021 12:59:24 +0200")
References: <87im6f9aq2.fsf@HIDDEN> <87y2f7td00.fsf@HIDDEN>
<87o8fen3d0.fsf@HIDDEN>
<b17ae2a486ca08c9de8d88127c3bc9df68b03f2b.camel@HIDDEN>
<87k0in1gur.fsf@HIDDEN>
<02120ab2080916fba3d6ff6b6909e4d478739b10.camel@HIDDEN>
Date: Mon, 11 Nov 2024 00:17:06 +0900
Message-ID: <87pln3azkd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46779
Cc: Mark H Weaver <mhw@HIDDEN>,
Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 46779 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi,
I was looking at what Nix does, and they carry this patch, under
pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch:
--8<---------------cut here---------------start------------->8---
allow overriding system trust store location via $NIX_SSL_CERT_FILE
--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -404,6 +404,10 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
unsigned int tl_flags,
unsigned int tl_vflags)
{
- return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES,
- tl_vflags);
+ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
+ const char *file = secure_getenv("NIX_SSL_CERT_FILE");
+ return file
+ ? gnutls_x509_trust_list_add_trust_file(
+ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
+ : add_system_trust(list, tl_flags, tl_vflags);
}
--8<---------------cut here---------------end--------------->8---
I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the
above patch and add the $SSL_CERT_FILE search path to bring us closer to
what OpenSSL supports?
I got interested in this problem again as the glib-networking now expect
a valid trust store to exist, and fails half its test suite without it
(and gnutls expecting a fixed location, I can't (easily?) fix this in
the build environment).
--
Thanks,
Maxim
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.Received: (at 46779) by debbugs.gnu.org; 11 Oct 2021 10:59:37 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 11 06:59:37 2021 Received: from localhost ([127.0.0.1]:56702 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mZt1t-0001dw-9N for submit <at> debbugs.gnu.org; Mon, 11 Oct 2021 06:59:37 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49208) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <roel@HIDDEN>) id 1mZt1q-0001dk-RX for 46779 <at> debbugs.gnu.org; Mon, 11 Oct 2021 06:59:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49812) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <roel@HIDDEN>) id 1mZt1k-0003xy-Ox; Mon, 11 Oct 2021 06:59:28 -0400 Received: from 2001-1c02-0b16-3700-3718-3a46-b1ae-ba54.cable.dynamic.v6.ziggo.nl ([2001:1c02:b16:3700:3718:3a46:b1ae:ba54]:45442) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <roel@HIDDEN>) id 1mZt1k-0007Ng-Fi; Mon, 11 Oct 2021 06:59:28 -0400 Message-ID: <02120ab2080916fba3d6ff6b6909e4d478739b10.camel@HIDDEN> Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates From: Roel Janssen <roel@HIDDEN> To: Mark H Weaver <mhw@HIDDEN>, Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN> Date: Mon, 11 Oct 2021 12:59:24 +0200 In-Reply-To: <87k0in1gur.fsf@HIDDEN> References: <87im6f9aq2.fsf@HIDDEN> <87y2f7td00.fsf@HIDDEN> <87o8fen3d0.fsf@HIDDEN> <b17ae2a486ca08c9de8d88127c3bc9df68b03f2b.camel@HIDDEN> <87k0in1gur.fsf@HIDDEN> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 (3.40.4-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 46779 Cc: 46779 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) On Fri, 2021-10-08 at 15:00 -0400, Mark H Weaver wrote: > Roel Janssen <roel@HIDDEN> writes: > > > On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote: > > > Ludovic Courtès <ludo@HIDDEN> writes: > > > > > > > Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > > > > > > > > > We should patch GnuTLS so that it also honors the SSL_* > > > > > environment > > > > > variables documented in the Guix manual. > > > > > > > > Note that (1) the SSL_* variables are originally from OpenSSL, and > > > > (2) > > > > GnuTLS developers made the conscious decision to not honor any > > > > environment variable, leaving it up to application developers to do > > > > that. > > > > > > > > That’s the reason we are in this situation. See the thread at > > > > < > > > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html > > > > > . > > > > > > That thread is worth reading, but for those who are short on time, I > > > want to call attention to a specific point I made: > > > > > > However, GnuTLS does not support an environment variable setting, > > > so we > > > would have to patch the code (add_system_trust in lib/system.c). I > > > strongly considered doing this, but I'm worried about the possible > > > security implications. For example, consider a setuid program that > > > uses > > > GnuTLS and assumes that the person who ran the program will not be > > > capable of changing the trust store that GnuTLS uses. This > > > assumption > > > would be correct for the upstream GnuTLS, but not for ours. > > > > > > <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html> > > > > > > > Would it be an idea to propose the patches, or the idea, for supporting > > the SSL_* variables to the GnuTLS developers? > > Sure, please feel free to discuss it with them. I submitted a feature request here: https://gitlab.com/gnutls/gnutls/-/issues/1279 > > Or is there a more fundamental reason why GnuTLS does not support > > changing certificate stores at run-time? > > I don't know. It's been many years since I looked at this. > Well, thank you for having looked at it in the past. :) Hopefully we will find out more by means of the feature request I submitted. Kind regards, Roel Janssen
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.
Received: (at 46779) by debbugs.gnu.org; 8 Oct 2021 19:02:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 08 15:02:30 2021
Received: from localhost ([127.0.0.1]:51871 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1mYv8Y-0006qp-6J
for submit <at> debbugs.gnu.org; Fri, 08 Oct 2021 15:02:30 -0400
Received: from world.peace.net ([64.112.178.59]:40586)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <mhw@HIDDEN>) id 1mYv8W-0006qc-Li
for 46779 <at> debbugs.gnu.org; Fri, 08 Oct 2021 15:02:28 -0400
Received: from mhw by world.peace.net with esmtpsa
(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
(envelope-from <mhw@HIDDEN>)
id 1mYv8Q-0000JW-9g; Fri, 08 Oct 2021 15:02:22 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: Roel Janssen <roel@HIDDEN>, Ludovic =?utf-8?Q?Court=C3=A8s?=
<ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
for TLS certificates
In-Reply-To: <b17ae2a486ca08c9de8d88127c3bc9df68b03f2b.camel@HIDDEN>
References: <87im6f9aq2.fsf@HIDDEN> <87y2f7td00.fsf@HIDDEN>
<87o8fen3d0.fsf@HIDDEN>
<b17ae2a486ca08c9de8d88127c3bc9df68b03f2b.camel@HIDDEN>
Date: Fri, 08 Oct 2021 15:00:33 -0400
Message-ID: <87k0in1gur.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46779
Cc: 46779 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Roel Janssen <roel@HIDDEN> writes:
> On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote:
>> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>>=20
>> > Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>> >=20
>> > > We should patch GnuTLS so that it also honors the SSL_*
>> > > environment
>> > > variables documented in the Guix manual.
>> >=20
>> > Note that (1) the SSL_* variables are originally from OpenSSL, and
>> > (2)
>> > GnuTLS developers made the conscious decision to not honor any
>> > environment variable, leaving it up to application developers to do
>> > that.
>> >=20
>> > That=E2=80=99s the reason we are in this situation.=C2=A0 See the thre=
ad at
>> > <
>> > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html
>> > >.
>>=20
>> That thread is worth reading, but for those who are short on time, I
>> want to call attention to a specific point I made:
>>=20
>> =C2=A0 However, GnuTLS does not support an environment variable setting,
>> so we
>> =C2=A0 would have to patch the code (add_system_trust in lib/system.c).=
=C2=A0 I
>> =C2=A0 strongly considered doing this, but I'm worried about the possible
>> =C2=A0 security implications.=C2=A0 For example, consider a setuid progr=
am that
>> uses
>> =C2=A0 GnuTLS and assumes that the person who ran the program will not be
>> =C2=A0 capable of changing the trust store that GnuTLS uses.=C2=A0 This
>> assumption
>> =C2=A0 would be correct for the upstream GnuTLS, but not for ours.
>>=20
>> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
>>=20
>
> Would it be an idea to propose the patches, or the idea, for supporting
> the SSL_* variables to the GnuTLS developers?
Sure, please feel free to discuss it with them.
> Or is there a more fundamental reason why GnuTLS does not support
> changing certificate stores at run-time?
I don't know. It's been many years since I looked at this.
Thanks,
Mark
--=20
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.Received: (at 46779) by debbugs.gnu.org; 7 Oct 2021 10:28:16 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 07 06:28:16 2021 Received: from localhost ([127.0.0.1]:46135 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mYQdM-0003Y7-1k for submit <at> debbugs.gnu.org; Thu, 07 Oct 2021 06:28:16 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45746) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <roel@HIDDEN>) id 1mYQdK-0003Xu-22 for 46779 <at> debbugs.gnu.org; Thu, 07 Oct 2021 06:28:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59238) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <roel@HIDDEN>) id 1mYQdE-0003M5-EN; Thu, 07 Oct 2021 06:28:08 -0400 Received: from 2001-1c02-0b16-3700-3718-3a46-b1ae-ba54.cable.dynamic.v6.ziggo.nl ([2001:1c02:b16:3700:3718:3a46:b1ae:ba54]:37514) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <roel@HIDDEN>) id 1mYQdE-0006LO-5B; Thu, 07 Oct 2021 06:28:08 -0400 Message-ID: <b17ae2a486ca08c9de8d88127c3bc9df68b03f2b.camel@HIDDEN> Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates From: Roel Janssen <roel@HIDDEN> To: Mark H Weaver <mhw@HIDDEN>, Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN> Date: Thu, 07 Oct 2021 12:28:04 +0200 In-Reply-To: <87o8fen3d0.fsf@HIDDEN> References: <87im6f9aq2.fsf@HIDDEN> <87y2f7td00.fsf@HIDDEN> <87o8fen3d0.fsf@HIDDEN> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 (3.40.4-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 46779 Cc: 46779 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote: > Ludovic Courtès <ludo@HIDDEN> writes: > > > Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > > > > > We should patch GnuTLS so that it also honors the SSL_* > > > environment > > > variables documented in the Guix manual. > > > > Note that (1) the SSL_* variables are originally from OpenSSL, and > > (2) > > GnuTLS developers made the conscious decision to not honor any > > environment variable, leaving it up to application developers to do > > that. > > > > That’s the reason we are in this situation. See the thread at > > < > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html > > >. > > That thread is worth reading, but for those who are short on time, I > want to call attention to a specific point I made: > > However, GnuTLS does not support an environment variable setting, > so we > would have to patch the code (add_system_trust in lib/system.c). I > strongly considered doing this, but I'm worried about the possible > security implications. For example, consider a setuid program that > uses > GnuTLS and assumes that the person who ran the program will not be > capable of changing the trust store that GnuTLS uses. This > assumption > would be correct for the upstream GnuTLS, but not for ours. > > <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html> > Would it be an idea to propose the patches, or the idea, for supporting the SSL_* variables to the GnuTLS developers? Or is there a more fundamental reason why GnuTLS does not support changing certificate stores at run-time? Perhaps I have missed a solution that has already made it in Guix. If that is the case, I would like to know about it. :) Kind regards, Roel Janssen
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.
Received: (at 46779) by debbugs.gnu.org; 19 Mar 2021 23:15:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 19 19:15:26 2021
Received: from localhost ([127.0.0.1]:51178 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lNOL0-0004HM-Ll
for submit <at> debbugs.gnu.org; Fri, 19 Mar 2021 19:15:26 -0400
Received: from world.peace.net ([64.112.178.59]:59252)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <mhw@HIDDEN>) id 1lNOKx-0004H7-4H
for 46779 <at> debbugs.gnu.org; Fri, 19 Mar 2021 19:15:25 -0400
Received: from mhw by world.peace.net with esmtpsa
(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
(envelope-from <mhw@HIDDEN>)
id 1lNOKq-0005eW-8r; Fri, 19 Mar 2021 19:15:16 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Maxim Cournoyer
<maxim.cournoyer@HIDDEN>
Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location
for TLS certificates
In-Reply-To: <87y2f7td00.fsf@HIDDEN>
References: <87im6f9aq2.fsf@HIDDEN> <87y2f7td00.fsf@HIDDEN>
Date: Fri, 19 Mar 2021 19:13:36 -0400
Message-ID: <87o8fen3d0.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46779
Cc: 46779 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>
>> We should patch GnuTLS so that it also honors the SSL_* environment
>> variables documented in the Guix manual.
>
> Note that (1) the SSL_* variables are originally from OpenSSL, and (2)
> GnuTLS developers made the conscious decision to not honor any
> environment variable, leaving it up to application developers to do
> that.
>
> That=E2=80=99s the reason we are in this situation. See the thread at
> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html>.
That thread is worth reading, but for those who are short on time, I
want to call attention to a specific point I made:
However, GnuTLS does not support an environment variable setting, so we
would have to patch the code (add_system_trust in lib/system.c). I
strongly considered doing this, but I'm worried about the possible
security implications. For example, consider a setuid program that uses
GnuTLS and assumes that the person who ran the program will not be
capable of changing the trust store that GnuTLS uses. This assumption
would be correct for the upstream GnuTLS, but not for ours.
<https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
Thanks,
Mark
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.Received: (at 46779) by debbugs.gnu.org; 1 Mar 2021 09:55:04 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 01 04:55:04 2021 Received: from localhost ([127.0.0.1]:48138 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lGfGa-0004RA-2l for submit <at> debbugs.gnu.org; Mon, 01 Mar 2021 04:55:04 -0500 Received: from eggs.gnu.org ([209.51.188.92]:45792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1lGfGY-0004Qe-M2 for 46779 <at> debbugs.gnu.org; Mon, 01 Mar 2021 04:55:03 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:41937) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lGfGT-0002Op-DZ; Mon, 01 Mar 2021 04:54:57 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50280 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lGfGS-00027Z-Ua; Mon, 01 Mar 2021 04:54:57 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: Re: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates References: <87im6f9aq2.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 11 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 01 Mar 2021 10:54:55 +0100 In-Reply-To: <87im6f9aq2.fsf@HIDDEN> (Maxim Cournoyer's message of "Thu, 25 Feb 2021 15:03:01 -0500") Message-ID: <87y2f7td00.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46779 Cc: 46779 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi, Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > We should patch GnuTLS so that it also honors the SSL_* environment > variables documented in the Guix manual. Note that (1) the SSL_* variables are originally from OpenSSL, and (2) GnuTLS developers made the conscious decision to not honor any environment variable, leaving it up to application developers to do that. That=E2=80=99s the reason we are in this situation. See the thread at <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html>. Now, I agree it=E2=80=99s inconvenient for those applications that don=E2= =80=99t do anything. Perhaps we should check if it=E2=80=99s reasonable to report it upstream when we encounter such issues, or if there=E2=80=99s just too many= of them? Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 25 Feb 2021 20:03:17 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 25 15:03:17 2021 Received: from localhost ([127.0.0.1]:39422 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lFMqy-0005Hq-7S for submit <at> debbugs.gnu.org; Thu, 25 Feb 2021 15:03:17 -0500 Received: from lists.gnu.org ([209.51.188.17]:47622) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1lFMqt-0005Hf-JY for submit <at> debbugs.gnu.org; Thu, 25 Feb 2021 15:03:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39002) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>) id 1lFMqr-0006l9-Ep for bug-guix@HIDDEN; Thu, 25 Feb 2021 15:03:11 -0500 Received: from mail-qv1-xf34.google.com ([2607:f8b0:4864:20::f34]:41330) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>) id 1lFMqm-0003Ww-Kl for bug-guix@HIDDEN; Thu, 25 Feb 2021 15:03:09 -0500 Received: by mail-qv1-xf34.google.com with SMTP id t1so2399454qvj.8 for <bug-guix@HIDDEN>; Thu, 25 Feb 2021 12:03:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version; bh=o4cLOgSeiiQvFPzwCgDtA6ua743sv22x9+SRjzHfEX4=; b=XZSmZDNUR2PJrC9wXFo6HhFk413WzW8mgdshWsLGB8H/ZDWGYQe2jCYP1cc2tTQeGP 7wctLgiCkyyUMzifvS9KbX/vg48ofTbVzzLvuUPuloNzhW/DYo4/1AUVWFNXLQ7yNqbg 05nGbOKkr2sE4t3KpqNYMZsvMZRVPgwuMRctpF71rri+Kayt7F//v8gzuIUrmXFJ0uJe FeScd64zsBkyFluTJTsJ19sSSP1Shu/xgtKCyBJEmAsDSTsbggv9R0WwytRLghAy/nP2 aA4YWUHYUo5TRbbEmtdLABrQ/PNSpRQgm6RiQPjH8EppB5YSxQQ7csXi9Ros4+9gCNNx Atig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=o4cLOgSeiiQvFPzwCgDtA6ua743sv22x9+SRjzHfEX4=; b=Ak8FWKUNcBK1ZNmRSjQ3A6gZDjXDB5By1qOhnNWokh2ORaKuMi6RQz8lVWwkOgSB8z pDFzxDUFzdgM+wV05Ocmvt1Zp2pRzVOMPXkjuzNM6HdXY2740IqA2FeVF13dx7h8ZDsT mm535WTQJrUNxknA36xWLK4LTq0cjTWN0i0lHGTECkbjnOMaq8TGXTmopj8ZdWx6P1Q1 X0STKMPoSP4paDzQLtnCDEM+aaDClNBdmrTOmBKNbmsb1jJQwzFrcouosC8W42opjZZ6 +6fbuBuFCVpJ+zyrbhWtnIUp1ejqNYpnQcs094n/3X9MfcT5m/52zpRaR18pzwu7PXV4 7v2w== X-Gm-Message-State: AOAM532ULbhs1K8rJVJktrltMzbJYhWGagXvAsTOcCtIixIEwIMNMlDk WejqkfjlGEUq5AHNdgRbYFoT2b41lPjTaw== X-Google-Smtp-Source: ABdhPJwqOdqC4mKqvFKu8p6UlxmvLSO8/iNwhOS47GyiElfKjF/7/D7+kiVBPXrP8HaEHYyq+r2RXA== X-Received: by 2002:a05:6214:118d:: with SMTP id t13mr4442062qvv.33.1614283383129; Thu, 25 Feb 2021 12:03:03 -0800 (PST) Received: from hurd (dsl-10-130-102.b2b2c.ca. [72.10.130.102]) by smtp.gmail.com with ESMTPSA id q204sm4786276qka.84.2021.02.25.12.03.02 for <bug-guix@HIDDEN> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Feb 2021 12:03:02 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> To: bug-guix <bug-guix@HIDDEN> Subject: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates Date: Thu, 25 Feb 2021 15:03:01 -0500 Message-ID: <87im6f9aq2.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::f34; envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qv1-xf34.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) Hello, Consider this: $ guix environment --container --network -E SSL --expose=$SSL_CERT_FILE --expose=$SSL_CERT_DIR --ad-hoc wget -- wget https://gnu.org It works on a Guix System, but fails on a foreign distribution, even in a profile where nss-certs were installed and with the above SSL environment value properly set. This is because GnuTLS, which wget uses, looks up the certificates under the /etc/ssl/certs hard-coded location. On Guix System, the SSL_CERT_FILE is set to /etc/ssl/certs/ca-certificates.crt, which explains why it works there. We should patch GnuTLS so that it also honors the SSL_* environment variables documented in the Guix manual. Maxim
Maxim Cournoyer <maxim.cournoyer@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#46779; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.