On Fri, 2021-10-08 at 15:00 -0400, Mark H Weaver wrote: > Roel Janssen <[email protected]> writes: > > > On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote: > > > Ludovic Courtès <[email protected]> writes: > > > > > > > Maxim Cournoyer <[email protected]> skribis: > > > > > > > > > We should patch GnuTLS so that it also honors the SSL_* > > > > > environment > > > > > variables documented in the Guix manual. > > > > > > > > Note that (1) the SSL_* variables are originally from OpenSSL, and > > > > (2) > > > > GnuTLS developers made the conscious decision to not honor any > > > > environment variable, leaving it up to application developers to do > > > > that. > > > > > > > > That’s the reason we are in this situation. See the thread at > > > > < > > > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html > > > > > . > > > > > > That thread is worth reading, but for those who are short on time, I > > > want to call attention to a specific point I made: > > > > > > However, GnuTLS does not support an environment variable setting, > > > so we > > > would have to patch the code (add_system_trust in lib/system.c). I > > > strongly considered doing this, but I'm worried about the possible > > > security implications. For example, consider a setuid program that > > > uses > > > GnuTLS and assumes that the person who ran the program will not be > > > capable of changing the trust store that GnuTLS uses. This > > > assumption > > > would be correct for the upstream GnuTLS, but not for ours. > > > > > > <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html> > > > > > > > Would it be an idea to propose the patches, or the idea, for supporting > > the SSL_* variables to the GnuTLS developers? > > Sure, please feel free to discuss it with them.
I submitted a feature request here: https://gitlab.com/gnutls/gnutls/-/issues/1279 > > Or is there a more fundamental reason why GnuTLS does not support > > changing certificate stores at run-time? > > I don't know. It's been many years since I looked at this. > Well, thank you for having looked at it in the past. :) Hopefully we will find out more by means of the feature request I submitted. Kind regards, Roel Janssen
