[OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Philippe Normand
philn at igalia.com
Thu May 30 14:47:07 UTC 2019
On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote:
> On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote:
> > Hi Adrian,
>
> Hi Philippe,
>
> > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
> > ...
> > > 2. Wouldn't the more common case be to use the ca-certificates
> > > package instead of PKCS #11?
> >
> > I don't know why glib-networking needs to go through gnutls which
> > then
> > needs to query p11-kit. I suppose p11-kit could directly be used,
> > but
> > this is not my call to make.
> > ...
>
> I think your "which then needs to query p11-kit" is not correct.
>
> My reading of configure.ac is that ca-certificates could be used
> instead, and this also makes a lot more sense in the default case.
>
I've asked Michael Catanzaro about this, he's not subscribed to this
list so he can't reply to the thread. Here's his reply:
The GnuTLS default trust store can be a certificate file bundle or a
certificate directory (provided by ca-certificates), or a PKCS#11 URI,
but PKCS#11 is a better default. If you do not use PKCS#11, then
expected functionality like trusting and distrusting certificates using
the 'trust' command or applications like seahorse will not work. Most
modern Linux distributions are now using PKCS#11 URIs; the only major
holdouts are Debian and Ubuntu. So I would definitely recommend the
PKCS#11 URI. Of course, basic functionality will work whichever way you
choose; glib-networking only requires that GnuTLS has a default trust
store, one way or the other, so using a bundle would be OK if you want
to avoid the dependency on p11-kit.
---
So, do you agree about depending on p11-kit from now on?
Philippe
More information about the Openembedded-core
mailing list