[gnutls-devel] Trust store from environment variable

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Feb 8 10:18:18 CET 2015


On Sat, 2015-02-07 at 16:34 +0100, Andreas Enge wrote:
> Hello,
> 
> in GNU Guix, we currently compile GnuTLS with
>    --with-default-trust-store-dir=/etc/ssl/certs
> However, with per user installation, it would be desirable if each user
> could define his own trust store, via an environment variable, for instance.
> Does this sound like a reasonable option? Some care would be needed to
> handle applications that are setuid root, for instance.

The loading of certificates from a system wide file or directory are
legacy options, and they don't allow much space for improvement. The
recommended way in a modern system is via the p11-kit trust module [0],
which in addition to what you ask, it can allow users to also specify
the purpose each CA certificate is trusted for. The p11-kit trust module
is used in Fedora for few releases now, for both NSS and gnutls.

regards,
Nikos

[0]. http://gnutls.org/manual/html_node/Verification-using-PKCS11.html





More information about the Gnutls-devel mailing list