Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates

[Andras Korn]

Package: libgnutls30
Version: 3.7.0-3
Severity: wishlist

Hi,

I was just bitten by https://github.com/SSSD/sssd/issues/5444.

Briefly:

 * sssd relies on libldap to query LDAP servers.
 * libldap can be linked against libssl (openssl) or gnutls for SSL/TLS support.
 * libssl supports an ldap_tls_cacertdir option; you can point it to /etc/ssl/certs and it'll trust all CA certificates that are in this directory.
 * gnutls doesn't have this cacertdir mechanism and needs `ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt` instead.
 * my sssd.conf only had ldap_tls_cacertdir, not ldap_tls_cacert; thus, gnutls didn't know which CA certificates to trust and failed to validate my LDAP server certificates.
 * The root cause of the problem only became visible after enabling LDAP library debugging in sssd.conf. 

I think I shouldn't need to specify `ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since this is the default location of trusted CA certificates in Debian. Configuration should only be necessary for non-default setups.

Best regards,

András

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (350, 'unstable'), (350, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Init: runit (via /run/runit.stopit)

-- no debconf information