[gnutls-devel] Trust store from environment variable

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Feb 8 14:14:50 CET 2015

On Sun, 2015-02-08 at 13:00 +0100, Andreas Enge wrote:
> Thanks for your kind explanations!
> On Sun, Feb 08, 2015 at 10:18:18AM +0100, Nikos Mavrogiannopoulos wrote:
> > The loading of certificates from a system wide file or directory are
> > legacy options, and they don't allow much space for improvement. The
> > recommended way in a modern system is via the p11-kit trust module [0],
> > which in addition to what you ask, it can allow users to also specify
> > the purpose each CA certificate is trusted for. The p11-kit trust module
> > is used in Fedora for few releases now, for both NSS and gnutls.
> > [0]. http://gnutls.org/manual/html_node/Verification-using-PKCS11.html
> What I do not quite understand is how that applies to packagers for
> distributions. The documentation speaks about the C library interface.
> What about existing applications? Do they need to be patched to use
> this trust module?

Indeed, such a section is currently missing from documentation. No
applications would need to be patched for that, they should work out of
the box. The Fedora change was at

(note that it predates the pkcs11 trust module by gnutls and using the
trust module is listed as a future goal)

The process should be, (a) setup p11-kit, (b) setup p11-kit trust
module, (c) configure gnutls with

and then all the modules marked as trusted in p11-kit configuration will
be used by gnutls. The relevant packages in fedora are:
(the latter for update-ca-trust).


More information about the Gnutls-devel mailing list