Bug#921609: gnutls28 does not build with pkcs11 support, breaks certificate pinning in glib-networkign and libgcr

Michael Gratton mike at vee.net
Thu Feb 7 07:20:49 GMT 2019


Package: gnutls28
Version: 3.6.6-2

Currently, gnutls28 is built with the following CONFIGUREARGS[0]:

 >  --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \

This breaks a number of things, including pinning certificates with 
libgcr and having that respected by glib-networking[1] (requiring 
applications such as Geary to implement non-trivial worarounds[2] to 
make this work on Debian systems) and using GnuTLS and GIO with things 
like smart cards and other PKCS11 components.

Per [1], please consider not building with 
`-with-default-trust-store-file` and build with 
`--with-default-trust-store-pkcs11="pkcs11:"` instead.

Cheers,
//Mike


[0] - 
<https://salsa.debian.org/gnutls-team/gnutls/blob/master/debian/rules#L30>
[1] - <https://gitlab.gnome.org/GNOME/gcr/issues/12#note_422793>
[2] - <https://gitlab.gnome.org/GNOME/geary/merge_requests/80>

-- 
⊨ Michael Gratton, Percept Wrangler.
⚙ <http://mjog.vee.net/>




More information about the Pkg-gnutls-maint mailing list