PR/58143 CVS commit: pkgsrc/security/gnutls

To: riastradh%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, campbell+netbsd%mumble.net@localhost
Subject: PR/58143 CVS commit: pkgsrc/security/gnutls
From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
Date: Tue, 7 Jan 2025 19:20:03 +0000 (UTC)

The following reply was made to PR pkg/58143; it has been noted by GNATS.

From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/58143 CVS commit: pkgsrc/security/gnutls
Date: Tue, 7 Jan 2025 19:19:34 +0000

 Module Name:	pkgsrc
 Committed By:	riastradh
 Date:		Tue Jan  7 19:19:34 UTC 2025

 Modified Files:
 	pkgsrc/security/gnutls: Makefile

 Log Message:
 security/gnutls: Use system TLS trust anchors.

 Until 2018, gnutls would search at _build-time_ for one of various
 files /etc/ssl/ca-bundle.pem, /etc/ssl/certs/ca-certificates.crt,
 /etc/pki/tls/cert.pem, &c., for trust anchors, and bake that path
 into the build product -- or, if none of those existed at build-time,
 it would bake _nothing_ into the build product and require programs
 doing TLS to specify trust anchors explicitly; the gnutls function
 gnutls_x509_trust_list_add_system_trust would fail with
 GNUTLS_E_UNIMPLEMENTED_FEATURE.

 In 2018, gnutls was changed to depend on mozilla-rootcerts and use
 ${PREFIX}/share/mozilla-rootcerts/cacert.pem.  This was expedient for
 NetBSD which (a) had no trust anchors shipped out of the box until
 10.0 but (b) would usually be configured with mozilla-rootcerts
 anyway, but wrong, because:

 1. The system may manage TLS trust anchors differently, e.g. on
    Fedora they're somewhere in /etc/pki/tls, or even if you install
    trust anchors from pkgsrc you might use security/ca-certificates
    instead of security/mozilla-rootcerts.

 2. Even if the system uses Mozilla's trust anchors, there is no way
    for an operator to safely selectively override individual CA
    certificates, like nixing Digi-Notar after their compromise --
    ${PREFIX}/share/mozilla-rootcerts/cacert.pem is a static file that
    is not allowed to change, not an editable configuration file.

 With this change, on platforms where mk/ssl.mk defines SSLCERTBUNDLE,
 gnutls will look there; on platforms without it, gnutls will revert
 to its original default of checking various paths at build-time.  For
 systems where the binary packages are built without trust anchors at
 build-time, but where there is a fixed path known at build-time where
 the trust anchors will be at run-time, mk/ssl.mk should be adapted to
 set SSLCERTBUNDLE.

 PR pkg/58143: security/gnutls uses wrong trust anchors

 To generate a diff of this commit:
 cvs rdiff -u -r1.262 -r1.263 pkgsrc/security/gnutls/Makefile

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Prev by Date: PR/58143 CVS commit: pkgsrc/mk
Next by Date: pkg/58973: security/botan3 ignores system trust anchors for TLS
Previous by Thread: PR/58143 CVS commit: pkgsrc/mk
Next by Thread: pkg/58973: security/botan3 ignores system trust anchors for TLS
Indexes:

Home | Main Index | Thread Index | Old Index