Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store

[Andreas Enge]

On Wed, Feb 19, 2014 at 05:13:26AM -0500, Mark H Weaver wrote:
> However, GnuTLS does not support an environment variable setting, so we
> would have to patch the code (add_system_trust in lib/system.c).  I
> strongly considered doing this, but I'm worried about the possible
> security implications.  For example, consider a setuid program that uses
> GnuTLS and assumes that the person who ran the program will not be
> capable of changing the trust store that GnuTLS uses.  This assumption
> would be correct for the upstream GnuTLS, but not for ours.
> 
> Here's the thing: GnuTLS does not trust the system store by default.
> The program has to call 'gnutls_certificate_set_x509_system_trust' to
> use the system trust store.  Therefore, individual programs can still
> allow the user to override the system trust store.
> 
> For example, look at the code for 'wget' (ssl_init in src/gnutls.c).  If
> you put "ca_directory = <DIRECTORY>" in ~/.wgetrc, then wget does not
> call 'gnutls_certificate_set_x509_system_trust'.  Instead, it trusts
> only the certs in the specified user directory.

This is an interesting feature.

> So, in the end, I don't think we should mess around with the way GnuTLS
> was designed.  I think we should provide a hard-coded system-wide
> location to allow 'gnutls_certificate_set_x509_system_trust' to work as
> it was intended, and instead we should make sure that each individual
> program has a way to override that.

I am still uneasy with this situation, even more so as long as we do not
have the gnu system: Currently, the guix gnutls would point to the ssl
certificates that debian installed (or did not install) in /etc; we will
get behaviour that depends a lot on the outside system instead of being
self-contained.

Andreas