Skip to content
Blame History Permalink
  • Michael Catanzaro's avatar
    Use the GnuTLS system trust by default · f1c8feee
    Michael Catanzaro authored 
    Get rid of the ca_certificates_path build flag. The default GTlsDatabase
will now use the GnuTLS system trust. GTlsFileDatabase now builds its
internal hash tables by iterating its gnutls_x509_trust_list_t, rather
than by parsing its certificate file manually.

The find-ca-certificates script is removed, since it's no longer needed.

There are some potential compatibility risks here:

 * The minimum required GnuTLS version is increased from 3.3.5 to 3.4.

 * If GnuTLS is not configured with a system trust, all certificate
   verification using the default GTlsDatabase will fail. I noticed that
   GNOME's flatpak runtime does not configure a system trust, so this
   breaks HTTPS there. This is sad for Epiphany Technology Preview, but
   we should do this anyway, and separately fix the GNOME runtime.

 * It was previously possible to configure glib-networking using
   --without-ca-certificates to ensure the default GTlsDatabase is
   empty (GNOME #727282). Apparently this was desirable on some embedded
   systems, though I'm not sure why. Such configuration is still
   possible by configuring GnuTLS with no system trust. Presumably,
   anybody relying on this behavior will notice that the
   --without-ca-certificates flag has disappeared during the build
   system change and investigate, so this seems unproblematic.

 * The default GTlsDatabase is a GTlsFileDatabase, but it might not
   actually correspond to a file anymore. This will be fixed in the next
   commit.

 * If the anchors property of a GTlsFileDatabase is NULL, that
   previously indicated an empty GTlsFileDatabase, but now indicates
   that the system trust is used. This will also be fixed in the next
   commit.

 * Certificate handles created using the default GTlsDatabase will be
   different before and after this commit. This seems unlikely to cause
   problems in practice, since a quick Debian codesearch reveals zero
   applications using our certificate handles. But, if an application
   were to rely on handles generated by previous versions of
   glib-networking being valid in the new version, it would break.

None of the above seem likely to cause practical issues, once
distributors ensure that GnuTLS is built properly, so I think we can
proceed.

https://bugzilla.gnome.org/show_bug.cgi?id=753260
    f1c8feee