Hi Andreas,
Andreas Enge <andr...@enge.fr> writes:
> On Tue, Feb 18, 2014 at 09:47:18PM -0500, Mark H Weaver wrote:
>> This patch is needed to allow gnutls to find the system-wide trust store
>> (trusted CA certificates).
>
>> +
>> "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt")))
>
> As there is no system, and we advertise per user configuration, should this
> not rather be $HOME/.guix-profile/etc/...? Which probably does not work
> as it would be needed to be "resolved" at execution time. Is there any way
> of telling gnutls to use an environment variable?
I'm very sympathetic to your point of view. I agree that each user
should be able to decide which CA certificates to trust.
However, GnuTLS does not support an environment variable setting, so we
would have to patch the code (add_system_trust in lib/system.c). I
strongly considered doing this, but I'm worried about the possible
security implications. For example, consider a setuid program that uses
GnuTLS and assumes that the person who ran the program will not be
capable of changing the trust store that GnuTLS uses. This assumption
would be correct for the upstream GnuTLS, but not for ours.
Here's the thing: GnuTLS does not trust the system store by default.
The program has to call 'gnutls_certificate_set_x509_system_trust' to
use the system trust store. Therefore, individual programs can still
allow the user to override the system trust store.
For example, look at the code for 'wget' (ssl_init in src/gnutls.c). If
you put "ca_directory = <DIRECTORY>" in ~/.wgetrc, then wget does not
call 'gnutls_certificate_set_x509_system_trust'. Instead, it trusts
only the certs in the specified user directory.
So, in the end, I don't think we should mess around with the way GnuTLS
was designed. I think we should provide a hard-coded system-wide
location to allow 'gnutls_certificate_set_x509_system_trust' to work as
it was intended, and instead we should make sure that each individual
program has a way to override that.
What do you think?
Regards,
Mark
