Bug#921609: gnutls28 does not build with pkcs11 support, breaks certificate pinning in glib-networkign and libgcr
Michael Gratton
mike at vee.net
Thu Feb 7 07:20:49 GMT 2019
Package: gnutls28
Version: 3.6.6-2
Currently, gnutls28 is built with the following CONFIGUREARGS[0]:
> --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \
This breaks a number of things, including pinning certificates with
libgcr and having that respected by glib-networking[1] (requiring
applications such as Geary to implement non-trivial worarounds[2] to
make this work on Debian systems) and using GnuTLS and GIO with things
like smart cards and other PKCS11 components.
Per [1], please consider not building with
`-with-default-trust-store-file` and build with
`--with-default-trust-store-pkcs11="pkcs11:"` instead.
Cheers,
//Mike
[0] -
<https://salsa.debian.org/gnutls-team/gnutls/blob/master/debian/rules#L30>
[1] - <https://gitlab.gnome.org/GNOME/gcr/issues/12#note_422793>
[2] - <https://gitlab.gnome.org/GNOME/geary/merge_requests/80>
--
⊨ Michael Gratton, Percept Wrangler.
⚙ <http://mjog.vee.net/>
More information about the Pkg-gnutls-maint
mailing list