gnutls: set certificate location #8121
Conversation
This is a fast fix; it might be best to use $SSL_CERT_FILE. Tested on vlc with youtube https URLs. Discussed also on NixOS#8118.
vcunat
added
0.kind: enhancement
|
Forgot to link upstream docs. |
|
👍 (I guess $SSL_CERT_FILE would be... cleaner? Haven't thought through all the implications, though.) |
|
I didn't want to poke now through the source and search what to patch, so I just did this quick fix. We use |
|
/cc maintainers @edolstra, @wkennington. |
|
I would prefer this to use the cacert package directly so we can guarantee this works on non-nixos systems. Ideally it wouldn't need to depend on the hash of the cacert package so that we could update cacerts without triggering a rebuild. |
|
Is gnutls case different from openssl and other cert users? I would expect same or similar handling. |
|
They should be doing this as well. Again, the biggest downside is that Maybe it would be useful to move the current cacert implementation to On Tue, Jun 2, 2015, 11:25 Vladimír Čunát [email protected] wrote:
|
|
The problem with the tarball approach is that very few people can update it On Tue, Jun 2, 2015, 11:34 William Kennington [email protected]
|
|
If we do this, we should probably do it for OpenSSL as well, for consistency. The main argument against it is impurity - a non-chroot build could end up using certificates in @wkennington Depending on the certificate bundle directly is tempting but not a good idea from a security perspective, because it makes it hard to revoke a certificate system-wide (you'd have to make sure that you have no package with an obsolete certificate bundle in its closure). |
|
You have the same problem with a bug in an ssl implementation, you still If you look at the frequency of updates, openssl alone is on par with the These default certificates should be only used in the fallback case. The This also doesn't fix the issue of a system rollback rolling back a ca On Tue, Jun 2, 2015, 13:14 Eelco Dolstra [email protected] wrote:
|
|
As for non-chrooted builds... in our master gnutls detects CA file location at configure time. On Hydra it's chrooted, so it finds nothing and uses a default path not populated on NixOS ( Do I understand correctly that the only point of improvement against current openssl state ( |
|
Thinking of the upcoming release: what about just merging this and leaving openssl as it is. We can make larger changes later, as I think just stabilizing and testing what's committed among various 15.06-bound branches will need more than enough work until the end of the month. |
|
Pushed to staging now. Further discussion on #8247. |
|
I'm not in favor of pushing this to staging if we don't also do it for OpenSSL. |
|
IMHO openssl had and still has even a better support than gnutls (it uses the env var). |
| @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { | |||
| inherit src patches; | |||
|
|
|||
| configureFlags = [ | |||
| # FIXME: perhaps use $SSL_CERT_FILE instead | |||
| "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" | |||
There was a problem hiding this comment.
How does this affect Darwin? That path doesn't exist.
There was a problem hiding this comment.
Hmm, I guess the configure flag should only be added on Linux? Without it, configure probes a few options, which might give a correct result, as darwin builds is are not chrooted.
There was a problem hiding this comment.
darwin builds is are not chrooted.
They are in the painfully long-lived awesome branch with the new stdenv 😭
There was a problem hiding this comment.
But yeah, this should probably be conditional behind .isLinux
This is a fast fix; it might be best to use $SSL_CERT_FILE. Tested on vlc with youtube https URLs. Discussed also on #8118.
Any better ideas?