[OE-core] [PATCH 3/3] gnutls: Add a config option to enable the pkcs11 trust store
Philippe Normand
philn at igalia.com
Thu May 30 13:47:03 UTC 2019
Since version 2.60 the glib-networking TLS database relies on GnuTLS's system
trust store, so not enabling it leads to TLS errors in applications depending on
glib-networking. The raised runtime warning is:
process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
(app:490): ... TLS Error: TLS certificate has unknown CA.
This new option is enabled by default because it is what glib-networking now
expects. Disabling this option would break certificates validation for all
applications directly or indirectly (via libsoup for instance) depending on glib-networking.
---
meta/recipes-support/gnutls/gnutls_3.6.7.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
index e05dc2b57d..48684678bb 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8
inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
-PACKAGECONFIG ??= "libidn"
+PACKAGECONFIG ??= "libidn p11-kit pkcs11-trust-store"
# You must also have CONFIG_SECCOMP enabled in the kernel for
# seccomp to work.
@@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,,"
+
EXTRA_OECONF = " \
--enable-doc \
--
2.20.1
More information about the Openembedded-core
mailing list