Hello Ricardo!
Please find the following information.
FROM FLATPAK SOURECODE:
SoupSession *
flatpak_create_soup_session (const char *user_agent)
{
SoupSession *soup_session;
const char *http_proxy;
soup_session = soup_session_new_with_options (SOUP_SESSION_USER_AGENT,
user_agent,
SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
SOUP_SESSION_TIMEOUT, 60,
SOUP_SESSION_IDLE_TIMEOUT, 60,
NULL);
soup_session_remove_feature_by_type (soup_session, SOUP_TYPE_CONTENT_DECODER);
http_proxy = g_getenv ("http_proxy");
if (http_proxy)
{
g_autoptr(SoupURI) proxy_uri = soup_uri_new (http_proxy);
if (!proxy_uri)
g_warning ("Invalid proxy URI '%s'", http_proxy);
else
g_object_set (soup_session, SOUP_SESSION_PROXY_URI, proxy_uri, NULL);
}
if (g_getenv ("OSTREE_DEBUG_HTTP"))
soup_session_add_feature (soup_session, (SoupSessionFeature *) soup_logger_new
(SOUP_LOGGER_LOG_BODY, 500));
return soup_session;
}
FROM LIBSOUP MANUAL:
The “ssl-use-system-ca-file” property
“ssl-use-system-ca-file” gboolean
Setting this to TRUE is equivalent to setting “tls-database” to the default
system CA database. (and likewise, setting “tls-database” to the default
database by hand will cause this property to become TRUE).
Setting this to FALSE (when it was previously TRUE) will clear the
“tls-database” field.
See “ssl-strict” for more information on how https certificate validation is
handled.
The “ssl-strict” property
“ssl-strict” gboolean
Normally, if “tls-database” is set (including if it was set via
“ssl-use-system-ca-file” or “ssl-ca-file”), then libsoup will reject any
certificate that is invalid (ie, expired) or that is not signed by one of the
given CA certificates, and the SoupMessage will fail with the status
SOUP_STATUS_SSL_FAILED.
If you set “ssl-strict” to FALSE, then all certificates will be accepted, and
you will need to call soup_message_get_https_status() to distinguish valid from
invalid certificates. (This can be used, eg, if you want to accept invalid
certificates after giving some sort of warning.)
For a plain SoupSession, if the session has no CA file or TLS database, and
this property is TRUE, then all certificates will be rejected.
--
Regards,
RG.
March 18, 2019 9:24 PM, "Ricardo Wurmus" <[email protected]
(mailto:[email protected])> wrote:
Raghav Gururajan <[email protected] (mailto:[email protected])> writes:
Yes, I did them. Still did not work.
I did the following to set env variables:
$ guix package -i nss-certs
$ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
$ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
$ export GIT_SSL_CAINFO="$SSL_CERT_FILE"
Flatpak uses libsoup with SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE. libsoup
delegates TLS handling to glib-networking.
Raghav, could you trace flatpak to see what certificate files it is
trying to access?
--
Ricardo
