Welcome to CRUX bug tracking.
FS#1684 - improve the default configuration for p11-kit / gnutls
Attached to Project:
CRUX
Opened by Fun (fun) - Sunday, 07 October 2018, 12:11 GMT
Last edited by Danny Rawlins (Romster) - Saturday, 04 May 2019, 05:05 GMT
Opened by Fun (fun) - Sunday, 07 October 2018, 12:11 GMT
Last edited by Danny Rawlins (Romster) - Saturday, 04 May 2019, 05:05 GMT
|
Detailsgnutls and any other program linking against it will fail with the default configuration if they rely on p11-kit alone to verify certificates.
For example: gnutls-cli -p 443 kernel.org will fail with: The certificate is NOT trusted. The certificate issuer is unknown. strace shows that /etc/ssl/cert.pem is read (probably by p11-kit), but no CA certificate is considered ('Processed 0 CA certificate(s)'). The following commands make gnutls-cli work: cd /etc/ssl mkdir anchors cp cert.pem anchors/ trust extract --filter=ca-anchors --format=pem-bundle /etc/ssl/extracted for f in /etc/ssl/extracted/*; do ln -fsr -t /etc/ssl/certs "$f"; done A README or a post-install script will be appreciated by anyone stumbling on this issue. It is not clear to me how p11-kit works, but the next links might help improve these ports: https://git.archlinux.org/svntogit/packages.git/tree/trunk/update-ca-trust?h=packages/ca-certificates https://fedoraproject.org/wiki/Features/SharedSystemCertificates:Testing opt/gnutls and contrib/gcr are the only official ports depending on p11-kit, but gnutls is picked up by more ports (including gnupg) as a soft dependency. |
This task depends upon
Closed by Danny Rawlins (Romster)
Saturday, 04 May 2019, 05:05 GMT
Reason for closing: Fixed
Additional comments about closing: this should be working correctly now
Saturday, 04 May 2019, 05:05 GMT
Reason for closing: Fixed
Additional comments about closing: this should be working correctly now