[OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Adrian Bunk
bunk at stusta.de
Thu May 30 12:17:18 UTC 2019
On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote:
> Since version 2.60 the glib-networking TLS database relies on GnuTLS's system
> trust store, so not enabling it leads to TLS errors in applications depending on
> glib-networking. The raised runtime warning is:
>
> process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
> (app:490): ... TLS Error: TLS certificate has unknown CA.
> ---
> meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
> index e05dc2b57d..3ad6e56579 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
> @@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
> PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
> PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
> PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
> +PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,,"
>...
Two questions:
1. Is this a valid pkcs11 URI?
AC_ARG_WITH([default-trust-store-pkcs11],
[AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
[use the given pkcs11 uri as default trust store])])
2. Wouldn't the more common case be to use the ca-certificates
package instead of PKCS #11?
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
More information about the Openembedded-core
mailing list