On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote: > Ludovic Courtès <l...@gnu.org> writes: > > > Maxim Cournoyer <maxim.courno...@gmail.com> skribis: > > > > > We should patch GnuTLS so that it also honors the SSL_* > > > environment > > > variables documented in the Guix manual. > > > > Note that (1) the SSL_* variables are originally from OpenSSL, and > > (2) > > GnuTLS developers made the conscious decision to not honor any > > environment variable, leaving it up to application developers to do > > that. > > > > That’s the reason we are in this situation. See the thread at > > < > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html > > >. > > That thread is worth reading, but for those who are short on time, I > want to call attention to a specific point I made: > > However, GnuTLS does not support an environment variable setting, > so we > would have to patch the code (add_system_trust in lib/system.c). I > strongly considered doing this, but I'm worried about the possible > security implications. For example, consider a setuid program that > uses > GnuTLS and assumes that the person who ran the program will not be > capable of changing the trust store that GnuTLS uses. This > assumption > would be correct for the upstream GnuTLS, but not for ours. > > <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html> >
Would it be an idea to propose the patches, or the idea, for supporting the SSL_* variables to the GnuTLS developers? Or is there a more fundamental reason why GnuTLS does not support changing certificate stores at run-time? Perhaps I have missed a solution that has already made it in Guix. If that is the case, I would like to know about it. :) Kind regards, Roel Janssen
