[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GnuTLS and the “trust store”
From: |
Ricardo Wurmus |
Subject: |
Re: GnuTLS and the “trust store” |
Date: |
Fri, 6 Jan 2017 15:20:03 +0100 |
User-agent: |
mu4e 0.9.16; emacs 25.1.1 |
Ludovic Courtès <address@hidden> writes:
> Ricardo Wurmus <address@hidden> skribis:
>
>> Marius Bakke <address@hidden> writes:
>>
>>> Curl respects the variable "CURL_CA_BUNDLE". I think we could add a
>>> "native-search-path" for that, similar to how it's done for "git".
>>
>> “curl” does but libcurl does not.
>
> But that’s probably on purpose. What do the cURL developers recommend
> for their users?
>
> If they recommend that users roll their own mechanism to designate the
> trust store, then they probably do (?), and I think we should avoid
> interfering with that.
I don’t know what they recommend but on an FHS-compliant system libcurl
would be configured to default to a well-known path for the default CA
bundle. This allows users of libcurl to just not care about
implementing a mechanism to override the default CA bundle, because it
would fall back to the well-known system-wide path.
One of these packages is “r-curl”, which just assumes that the libcurl
defaults are fine. We patch it to enable CURL_CA_BUNDLE lookup (a
feature that was intended only for Windows).
Since GuixSD does not offer this path and Guix can be used on different
systems I think we need to provide an alternative. One alternative is
to replace the well-known path with a call to getenv("CURL_CA_BUNDLE").
~~ Ricardo
- Re: [PATCH] gnu: curl: Add ca-bundle to config., (continued)
- GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/04
- Re: GnuTLS and the “trust store”, ng0, 2017/01/04
- Re: GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/05
- Re: GnuTLS and the “trust store”, Ricardo Wurmus, 2017/01/05
- Re: GnuTLS and the “trust store”, Marius Bakke, 2017/01/05
- Re: GnuTLS and the “trust store”, Ricardo Wurmus, 2017/01/05
- Re: GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/05
- Re: GnuTLS and the “trust store”,
Ricardo Wurmus <=
- Re: GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/07
Re: PATCH as first attempt to fix the sad curl situation, ng0, 2017/01/04