Skip to content

Comments

gnutls: add SSL_CERT_FILE#48317

Closed
lukateras wants to merge 1 commit intoNixOS:stagingfrom
transumption:201810/pure-gnutls-cacert
Closed

gnutls: add SSL_CERT_FILE#48317
lukateras wants to merge 1 commit intoNixOS:stagingfrom
transumption:201810/pure-gnutls-cacert

Conversation

@lukateras
Copy link
Member

@lukateras lukateras commented Oct 13, 2018

Motivation for this change

At the moment, GnuTLS programs from Nixpkgs will not always work on non-NixOS systems. This patch resolves the issue by providing pure cacert at configure time.

GnuTLS doesn't have an equivalent of SSL_CERT_FILE, it would be nice to patch that in.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. labels Oct 13, 2018
@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 13, 2018

Success on x86_64-darwin (full log)

Attempted: gnutls

Partial log (click to expand)

these paths will be fetched (0.49 MiB download, 1.72 MiB unpacked):
  /nix/store/alq7xnv8vdyrwar2chfavgjiy7zs3hb3-autogen-5.18.12-lib
  /nix/store/r5ngi6gjmrnnigpfzwrnzmryd2v3sfqk-autogen-5.18.12
  /nix/store/rrir3anfxcm7kgdrjdxnb7hfqrf9sh7q-gnutls-3.5.10-bin
copying path '/nix/store/r5ngi6gjmrnnigpfzwrnzmryd2v3sfqk-autogen-5.18.12' from 'https://cache.nixos.org'...
copying path '/nix/store/alq7xnv8vdyrwar2chfavgjiy7zs3hb3-autogen-5.18.12-lib' from 'https://cache.nixos.org'...
copying path '/nix/store/rrir3anfxcm7kgdrjdxnb7hfqrf9sh7q-gnutls-3.5.10-bin' from 'https://cache.nixos.org'...
/nix/store/rrir3anfxcm7kgdrjdxnb7hfqrf9sh7q-gnutls-3.5.10-bin

@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 13, 2018

Success on aarch64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/3q3zkvmh4i5pdx3rnqcpfmwnk8wqbpv5-gnutls-3.6.2-man/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/3q3zkvmh4i5pdx3rnqcpfmwnk8wqbpv5-gnutls-3.6.2-man
checking for references to /build in /nix/store/3q3zkvmh4i5pdx3rnqcpfmwnk8wqbpv5-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc...
/nix/store/wlrkinjqqjzyi130y0474xy64ph4flva-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 13, 2018

Success on x86_64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/la2r4kkn34dxxkmjy4n87f491r51lqkd-gnutls-3.6.2-man/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/la2r4kkn34dxxkmjy4n87f491r51lqkd-gnutls-3.6.2-man
checking for references to /build in /nix/store/la2r4kkn34dxxkmjy4n87f491r51lqkd-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc...
/nix/store/56r2zapbr6baplk2k5jw4dj5c6bficak-gnutls-3.6.2-bin

Mic92
Mic92 reviewed Oct 13, 2018
View reviewed changes
pkgs/development/libraries/gnutls/generic.nix Outdated
Copy link
Member

@Mic92 Mic92 Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this still allows to override the certificate store?

Copy link
Member Author

@lukateras lukateras Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it does not allow to override the cert store. As far as I understand, the only way to make this happen is to patch in SSL_CERT_FILE support into GnuTLS.

Copy link
Contributor

@xeji xeji Oct 13, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't feel comfortable with this solution. Yes, it's guaranteed to work on any system. But it kills any flexibility to add custom certs and makes GnuTLS unusable in environments that require them (unless you want to override cacert).

Unless we want to patch GnuTLS, I would suggest to leave it as is and document that GnuTLS expects the certs in /etc/ssl/certs/ca-certificates-crt, so on non-NixOS systems the user should copy or symlink the cert bundle there. Of course that requires root access...

Copy link
Member Author

@lukateras lukateras Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, I will patch GnuTLS then.

@timokau
Copy link
Member

timokau commented Oct 13, 2018

This should target staging.

@lukateras lukateras changed the base branch from master to staging October 13, 2018 14:43
@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 13, 2018

Success on aarch64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/9xy64blm2fyfgzp64kr5fp1c2sgbjbx4-gnutls-3.6.2-man/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/9xy64blm2fyfgzp64kr5fp1c2sgbjbx4-gnutls-3.6.2-man
checking for references to /build in /nix/store/9xy64blm2fyfgzp64kr5fp1c2sgbjbx4-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc...
/nix/store/a6n182qk9vnifknhjz2crbv9r02w8j8v-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 13, 2018

Success on x86_64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/1y7888nqn3397bvipm14wfg0z9h3716c-gnutls-3.6.2-man/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/1y7888nqn3397bvipm14wfg0z9h3716c-gnutls-3.6.2-man
checking for references to /build in /nix/store/1y7888nqn3397bvipm14wfg0z9h3716c-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc...
/nix/store/g6w3zrpx0rbx4yn2pg1ff24hgs9rw9hf-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 13, 2018

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: gnutls

Partial log (click to expand)

cannot build derivation '/nix/store/73ppa9k7mqg3gzgckh1ryb95nchbi11v-p11-kit-0.23.14.drv': 5 dependencies couldn't be built
cannot build derivation '/nix/store/4x4q5v337nqhd1b6x09vnkaa0i5vr9f3-bootstrap_cmds-dev-tools-7.0.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/6gyhhmffxc3n3ix3x1wn4s5fqisk7c26-xnu-osx-10.11.6.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/9xa79rfilv70lfgpvd7rvsp5khqhh1kx-IOKit-osx-10.11.6.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/51z57c74fhk499pr7n6bi1ir96ihrcaq-configd-osx-10.8.5.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/0pzdp7frrqjk1511pn1v8ngwrw6y4py2-python-2.7.15.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/na1m677g7g6w2f6kd20p2dhk9x6sadi0-libxml2-2.9.8.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/zvqp35shvl55yj1dfz8wfvm8q6j8z91n-autogen-5.18.12.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/091ayw06d1r5p67v7wbpiqvbmzik1sgg-gnutls-3.5.10.drv': 14 dependencies couldn't be built
error: build of '/nix/store/091ayw06d1r5p67v7wbpiqvbmzik1sgg-gnutls-3.5.10.drv' failed

@lukateras lukateras changed the title gnutls: provide pure cacert path during configure phase gnutls: add SSL_CERT_FILE Oct 17, 2018
@lukateras
Copy link
Member Author

lukateras commented Oct 17, 2018

I've pushed a GnuTLS patch that adds SSL_CERT_FILE environment variable. cc @vcunat

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. and removed 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. labels Oct 17, 2018
@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 17, 2018

Success on aarch64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/5j7rlm3s0vkxy1gifvl8s3h5ik15plnk-gnutls-3.6.2-man/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/5j7rlm3s0vkxy1gifvl8s3h5ik15plnk-gnutls-3.6.2-man
checking for references to /build in /nix/store/5j7rlm3s0vkxy1gifvl8s3h5ik15plnk-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc...
/nix/store/kdv1v4jpjzjd5ydrndircq2s1dvmhfs8-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 17, 2018

Success on x86_64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/9zs2c9xrnvmzv6m1l2s16jnflkb7zncq-gnutls-3.6.2-man/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/9zs2c9xrnvmzv6m1l2s16jnflkb7zncq-gnutls-3.6.2-man
checking for references to /build in /nix/store/9zs2c9xrnvmzv6m1l2s16jnflkb7zncq-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc...
/nix/store/jjpsckz9d1q4s7qr12qh7fx9gjbfawlr-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

GrahamcOfBorg commented Oct 17, 2018

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: gnutls

Partial log (click to expand)

cannot build derivation '/nix/store/73ppa9k7mqg3gzgckh1ryb95nchbi11v-p11-kit-0.23.14.drv': 5 dependencies couldn't be built
cannot build derivation '/nix/store/4x4q5v337nqhd1b6x09vnkaa0i5vr9f3-bootstrap_cmds-dev-tools-7.0.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/6gyhhmffxc3n3ix3x1wn4s5fqisk7c26-xnu-osx-10.11.6.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/9xa79rfilv70lfgpvd7rvsp5khqhh1kx-IOKit-osx-10.11.6.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/51z57c74fhk499pr7n6bi1ir96ihrcaq-configd-osx-10.8.5.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/0pzdp7frrqjk1511pn1v8ngwrw6y4py2-python-2.7.15.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/na1m677g7g6w2f6kd20p2dhk9x6sadi0-libxml2-2.9.8.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/zvqp35shvl55yj1dfz8wfvm8q6j8z91n-autogen-5.18.12.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/w7imsq40gv8514sfgs9fi1wxhk99l40s-gnutls-3.5.10.drv': 14 dependencies couldn't be built
error: build of '/nix/store/w7imsq40gv8514sfgs9fi1wxhk99l40s-gnutls-3.5.10.drv' failed

Mic92
Mic92 reviewed Oct 17, 2018
View reviewed changes
pkgs/development/libraries/gnutls/ssl-cert-file.patch
r += ret;
#endif

+ char *env = secure_getenv("SSL_CERT_FILE");
Copy link
Member

@Mic92 Mic92 Oct 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you ask upstream to incorporate this patch? Even if they refuse to merge it, we still get a code review from them.

Copy link
Member Author

@lukateras lukateras Oct 17, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, sure, I'll try. However, to make it upstreamable it should probably be under a configure option.

The patch is trivial though, this chunk looks exactly like DEFAULT_TRUST_STORE_FILE above it, other than secure_getenv call.

Copy link
Member

@timokau timokau Oct 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would it need to be behind a configure option?

Copy link
Member Author

@lukateras lukateras Oct 17, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I gather, upstream has been hostile to including this previously. So I have little faith for it to be included without it being explicitly enabled by a configure flag, if at all.

Copy link
Member

@timokau timokau Oct 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where was this proposed before?

Copy link
Member Author

@lukateras lukateras Oct 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://guix-devel.gnu.narkive.com/aUu3aCUl/patch-gnu-gnutls-configure-location-of-system-wide-trust-store

Copy link
Member

@timokau timokau Oct 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the actual upstream thread where the guix developers talked to gnutls. The gnutls people don't really argue against the patch, they just mention that they think using pkcs11 is a better idea. Not sure if that is applicable for us, if I understand that correctly that needs a central service (hard on non-nixos). But upstream never really said "no that patch is a no-go because...".

Copy link
Member

@Mic92 Mic92 Oct 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes having a service would defeat the motivation we had in the first place.

yorickvP referenced this pull request in serokell/nixpkgs Dec 13, 2018
@lukateras @Lucus16
gnutls: provide pure cacert path during configure phase
e8088d6
@vcunat
Copy link
Member

vcunat commented Apr 22, 2019
edited
Loading

I managed to miss this one (well, I can't remember now anyway). We stumbled into this now due to Darwin, and I implemented a slightly different patch (before noticing this PR):

  • (only) NIX_ variable is used, just as we now add it for openssl (that also rules out the question of upstreaming, I believe)
  • it replaces the default trust store instead of adding another one (just as our openssl patch does)

Let me (tentatively) close in favor of #58611

@vcunat vcunat closed this Apr 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 left review comments

@timokau timokau timokau left review comments

+1 more reviewer

@xeji xeji xeji left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@lukateras @GrahamcOfBorg @timokau @vcunat @Mic92 @xeji