[OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Philippe Normand
philn at igalia.com
Thu May 30 13:30:14 UTC 2019
Hi Adrian,
On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
> On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote:
> > Since version 2.60 the glib-networking TLS database relies on
> > GnuTLS's system
> > trust store, so not enabling it leads to TLS errors in applications
> > depending on
> > glib-networking. The raised runtime warning is:
> >
> > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS
> > database: Failed to load system trust store: GnuTLS was not
> > configured with a system trust
> > (app:490): ... TLS Error: TLS certificate has unknown CA.
> >
...
> Two questions:
>
> 1. Is this a valid pkcs11 URI?
>
> AC_ARG_WITH([default-trust-store-pkcs11],
> [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
> [use the given pkcs11 uri as default trust store])])
>
Yes, I believe so. I simply used the same option as in the Freedesktop
Flatpak SDK:
https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/elements/components/gnutls.bst
> 2. Wouldn't the more common case be to use the ca-certificates
> package instead of PKCS #11?
>
I don't know why glib-networking needs to go through gnutls which then
needs to query p11-kit. I suppose p11-kit could directly be used, but
this is not my call to make.
For reference, this is the relevant glib-networking commit:
https://gitlab.gnome.org/GNOME/glib-networking/commit/f1c8feee014007cc913b71357acb609f8d1200df
Anyway, in my local config I had this:
PACKAGECONFIG_append_pn-gnutls = " p11-kit pkcs11-trust-store"
PACKAGECONFIG_append_pn-p11-kit = " trust-paths"
Without those I would still get TLS errors at runtime.
So these 3 options would need to be enabled by default, I'll send a
follow-up patch series.
Philippe
More information about the Openembedded-core
mailing list