[gnutls-devel] Trust store from environment variable
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Feb 8 14:14:50 CET 2015
On Sun, 2015-02-08 at 13:00 +0100, Andreas Enge wrote:
> Thanks for your kind explanations!
>
> On Sun, Feb 08, 2015 at 10:18:18AM +0100, Nikos Mavrogiannopoulos wrote:
> > The loading of certificates from a system wide file or directory are
> > legacy options, and they don't allow much space for improvement. The
> > recommended way in a modern system is via the p11-kit trust module [0],
> > which in addition to what you ask, it can allow users to also specify
> > the purpose each CA certificate is trusted for. The p11-kit trust module
> > is used in Fedora for few releases now, for both NSS and gnutls.
> > [0]. http://gnutls.org/manual/html_node/Verification-using-PKCS11.html
>
> What I do not quite understand is how that applies to packagers for
> distributions. The documentation speaks about the C library interface.
> What about existing applications? Do they need to be patched to use
> this trust module?
Indeed, such a section is currently missing from documentation. No
applications would need to be patched for that, they should work out of
the box. The Fedora change was at
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
(note that it predates the pkcs11 trust module by gnutls and using the
trust module is listed as a future goal)
The process should be, (a) setup p11-kit, (b) setup p11-kit trust
module, (c) configure gnutls with
--with-default-trust-store-pkcs11="pkcs11:"
and then all the modules marked as trusted in p11-kit configuration will
be used by gnutls. The relevant packages in fedora are:
http://pkgs.fedoraproject.org/cgit/p11-kit.git/
http://pkgs.fedoraproject.org/cgit/ca-certificates.git/
(the latter for update-ca-trust).
regards,
Nikos
More information about the Gnutls-devel
mailing list