CRUX

Welcome to CRUX bug tracking.
Tasklist

FS#1684 - improve the default configuration for p11-kit / gnutls

Attached to Project: CRUX
Opened by Fun (fun) - Sunday, 07 October 2018, 12:11 GMT
Task Type Improvement
Category ports → core/opt
Status New
Assigned To Danny Rawlins (Romster)
Operating System CRUX
Severity Low
Priority Normal
Reported Version 3.4
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

gnutls and any other program linking against it will fail with the default configuration if they rely on p11-kit alone to verify certificates.

For example:

gnutls-cli -p 443 kernel.org

will fail with:

The certificate is NOT trusted. The certificate issuer is unknown.

strace shows that /etc/ssl/cert.pem is read (probably by p11-kit), but no CA certificate is considered ('Processed 0 CA certificate(s)').

The following commands make gnutls-cli work:

cd /etc/ssl
mkdir anchors
cp cert.pem anchors/
trust extract --filter=ca-anchors --format=pem-bundle /etc/ssl/extracted
for f in /etc/ssl/extracted/*; do ln -fsr -t /etc/ssl/certs "$f"; done

A README or a post-install script will be appreciated by anyone stumbling on this issue. It is not clear to me how p11-kit works, but the next links might help improve these ports:

https://git.archlinux.org/svntogit/packages.git/tree/trunk/update-ca-trust?h=packages/ca-certificates
https://fedoraproject.org/wiki/Features/SharedSystemCertificates:Testing

opt/gnutls and contrib/gcr are the only official ports depending on p11-kit, but gnutls is picked up by more ports (including gnupg) as a soft dependency.
This task depends upon

Loading...