Roel Janssen <r...@gnu.org> writes:
> On Fri, 2021-03-19 at 19:13 -0400, Mark H Weaver wrote:
>> Ludovic Courtès <l...@gnu.org> writes:
>>
>> > Maxim Cournoyer <maxim.courno...@gmail.com> skribis:
>> >
>> > > We should patch GnuTLS so that it also honors the SSL_*
>> > > environment
>> > > variables documented in the Guix manual.
>> >
>> > Note that (1) the SSL_* variables are originally from OpenSSL, and
>> > (2)
>> > GnuTLS developers made the conscious decision to not honor any
>> > environment variable, leaving it up to application developers to do
>> > that.
>> >
>> > That’s the reason we are in this situation. See the thread at
>> > <
>> > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html
>> > >.
>>
>> That thread is worth reading, but for those who are short on time, I
>> want to call attention to a specific point I made:
>>
>> However, GnuTLS does not support an environment variable setting,
>> so we
>> would have to patch the code (add_system_trust in lib/system.c). I
>> strongly considered doing this, but I'm worried about the possible
>> security implications. For example, consider a setuid program that
>> uses
>> GnuTLS and assumes that the person who ran the program will not be
>> capable of changing the trust store that GnuTLS uses. This
>> assumption
>> would be correct for the upstream GnuTLS, but not for ours.
>>
>> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
>>
>
> Would it be an idea to propose the patches, or the idea, for supporting
> the SSL_* variables to the GnuTLS developers?
Sure, please feel free to discuss it with them.
> Or is there a more fundamental reason why GnuTLS does not support
> changing certificate stores at run-time?
I don't know. It's been many years since I looked at this.
Thanks,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
