[gnutls-devel] GnuTLS | Path forward for --strict-x509: runtime switch? (#1564)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Jul 17 14:05:41 CEST 2024 


Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1564



!1550 has introduced, and !1583 has extended `--strict-x509`, but, without being enabled by default, the compliance improvements offered by the switch lie dormant.
On the other hand, enabling the option comes at an interoperability cost, so packagers are discouraged to enabled it, as when users encounter a non-compliant certificate and come to them, their workarounding options are currently limited to recompiling gnutls only. Introducing some form of a runtime switch might help them make the leap.

A runtime switch can come in several varieties. In the most common scenario, where a client cannot connect to a server and has no control over the non-compliant certificate it's using, the ideal override would be per-host, and the second best override would be per-invocation, followed by whole-system. Per-app switching, when a specific app wants an override through the API, feels like the least likely to be handy. With that in mind, here's my subjective rating of what the switch could be:

1. environment variable. Pros: per-invocation. Cons: SUID binaries might ignore it. (not sure how significant is that)
2. priority string keyword. Pros: some apps allow configuring it per-invocation or per-app. Cons: not easy to enable system-wide with allowlisting config alone (not sure how significant is that)
3. configuration file directive. Pros: can be per-invocation if pointed at a config with an envvar. Cons: folks rocking no config (e.g. Debian) will have to figure out creating one

Another question is, when can the default for the compile switch be flipped. Next second version bump after a runtime switch is there?

Overall, what's the plan to proceed with this one?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1564
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240717/d76a260b/attachment.html>

More information about the Gnutls-devel mailing list