2013/6/12 Wojtek Kaniewski <wojte...@toxygen.net>:
> As Bartosz wrote
> the code for GnuTLS will be more complicated, so it may take some time.

Do you have any plan for it? I have performed some research and the
options seem to be to:

1) Have a build-time option to explicitly specify a CA trust store
file to use, and if not specified, default to the first existing of:
   /etc/ssl/certs/ca-certificates.crt (Debian, Gentoo, Arch),
   /etc/pki/tls/cert.pem (Fedora),
   /etc/ssl/ca-bundle.pem (OpenSUSE),
   /usr/local/share/certs/ca-root-nss.crt (FreeBSD),
   /etc/ssl/cert.pem (OpenBSD)

If specified, we could use the configured file and ignore system
default altogether for both OpenSSL and GnuTLS. But if it was guessed,
probably we should rather use OpenSSL's and GnuTLS's (in case of
GnuTLS 3.0 or newer) default.

2) Another option would be to simply hard-code all these paths for
GnuTLS older than 3.0 and not provide any build-time option at all.
And as I'm thinking about that, it actually seems to be the best
option to me.

3) For the sake of completeness: We could also require GnuTLS v3, but
it's really a no-go because we should fix this issue in the 1.11 line
and raising library requirements to something that even Debian 7.0
doesn't have is a very bad idea.

What do you think?

libgadu-devel mailing list

Reply via email to