Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnutls: add SSL_CERT_FILE #48317

Closed
wants to merge 1 commit into from
Closed

gnutls: add SSL_CERT_FILE #48317

wants to merge 1 commit into from

Conversation

lukateras
Copy link
Member

Motivation for this change

At the moment, GnuTLS programs from Nixpkgs will not always work on non-NixOS systems. This patch resolves the issue by providing pure cacert at configure time.

GnuTLS doesn't have an equivalent of SSL_CERT_FILE, it would be nice to patch that in.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: gnutls

Partial log (click to expand)

these paths will be fetched (0.49 MiB download, 1.72 MiB unpacked):
  /nix/store/alq7xnv8vdyrwar2chfavgjiy7zs3hb3-autogen-5.18.12-lib
  /nix/store/r5ngi6gjmrnnigpfzwrnzmryd2v3sfqk-autogen-5.18.12
  /nix/store/rrir3anfxcm7kgdrjdxnb7hfqrf9sh7q-gnutls-3.5.10-bin
copying path '/nix/store/r5ngi6gjmrnnigpfzwrnzmryd2v3sfqk-autogen-5.18.12' from 'https://cache.nixos.org'...
copying path '/nix/store/alq7xnv8vdyrwar2chfavgjiy7zs3hb3-autogen-5.18.12-lib' from 'https://cache.nixos.org'...
copying path '/nix/store/rrir3anfxcm7kgdrjdxnb7hfqrf9sh7q-gnutls-3.5.10-bin' from 'https://cache.nixos.org'...
/nix/store/rrir3anfxcm7kgdrjdxnb7hfqrf9sh7q-gnutls-3.5.10-bin

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/3q3zkvmh4i5pdx3rnqcpfmwnk8wqbpv5-gnutls-3.6.2-man/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/3q3zkvmh4i5pdx3rnqcpfmwnk8wqbpv5-gnutls-3.6.2-man
checking for references to /build in /nix/store/3q3zkvmh4i5pdx3rnqcpfmwnk8wqbpv5-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/hk3znpffhpqxh5w9ml7qvcfmrbm72s2k-gnutls-3.6.2-devdoc...
/nix/store/wlrkinjqqjzyi130y0474xy64ph4flva-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/la2r4kkn34dxxkmjy4n87f491r51lqkd-gnutls-3.6.2-man/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/la2r4kkn34dxxkmjy4n87f491r51lqkd-gnutls-3.6.2-man
checking for references to /build in /nix/store/la2r4kkn34dxxkmjy4n87f491r51lqkd-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/fka8y3gbizijyn7v9wn5yzx8nfkxwnpx-gnutls-3.6.2-devdoc...
/nix/store/56r2zapbr6baplk2k5jw4dj5c6bficak-gnutls-3.6.2-bin

Mic92
Mic92 reviewed Oct 13, 2018
View reviewed changes
pkgs/development/libraries/gnutls/generic.nix Outdated
@@ -30,7 +30,7 @@ stdenv.mkDerivation {

preConfigure = "patchShebangs .";
configureFlags =
lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
lib.optional stdenv.isLinux "--with-default-trust-store-file=${cacert}/etc/ssl/certs/ca-bundle.crt"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this still allows to override the certificate store?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it does not allow to override the cert store. As far as I understand, the only way to make this happen is to patch in SSL_CERT_FILE support into GnuTLS.

Copy link
Contributor

@xeji xeji Oct 13, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't feel comfortable with this solution. Yes, it's guaranteed to work on any system. But it kills any flexibility to add custom certs and makes GnuTLS unusable in environments that require them (unless you want to override cacert).

Unless we want to patch GnuTLS, I would suggest to leave it as is and document that GnuTLS expects the certs in /etc/ssl/certs/ca-certificates-crt, so on non-NixOS systems the user should copy or symlink the cert bundle there. Of course that requires root access...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, I will patch GnuTLS then.

@timokau
Copy link
Member

timokau commented Oct 13, 2018

This should target staging.

@lukateras lukateras changed the base branch from master to staging October 13, 2018 14:43
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/9xy64blm2fyfgzp64kr5fp1c2sgbjbx4-gnutls-3.6.2-man/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/9xy64blm2fyfgzp64kr5fp1c2sgbjbx4-gnutls-3.6.2-man
checking for references to /build in /nix/store/9xy64blm2fyfgzp64kr5fp1c2sgbjbx4-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/cij67z7g5w1qisp0jyq19l2xlzqyr1x7-gnutls-3.6.2-devdoc...
/nix/store/a6n182qk9vnifknhjz2crbv9r02w8j8v-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/1y7888nqn3397bvipm14wfg0z9h3716c-gnutls-3.6.2-man/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/1y7888nqn3397bvipm14wfg0z9h3716c-gnutls-3.6.2-man
checking for references to /build in /nix/store/1y7888nqn3397bvipm14wfg0z9h3716c-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/mkay7a6ljcvkwli4jgq6in52bq8vd4m6-gnutls-3.6.2-devdoc...
/nix/store/g6w3zrpx0rbx4yn2pg1ff24hgs9rw9hf-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: gnutls

Partial log (click to expand)

cannot build derivation '/nix/store/73ppa9k7mqg3gzgckh1ryb95nchbi11v-p11-kit-0.23.14.drv': 5 dependencies couldn't be built
cannot build derivation '/nix/store/4x4q5v337nqhd1b6x09vnkaa0i5vr9f3-bootstrap_cmds-dev-tools-7.0.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/6gyhhmffxc3n3ix3x1wn4s5fqisk7c26-xnu-osx-10.11.6.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/9xa79rfilv70lfgpvd7rvsp5khqhh1kx-IOKit-osx-10.11.6.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/51z57c74fhk499pr7n6bi1ir96ihrcaq-configd-osx-10.8.5.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/0pzdp7frrqjk1511pn1v8ngwrw6y4py2-python-2.7.15.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/na1m677g7g6w2f6kd20p2dhk9x6sadi0-libxml2-2.9.8.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/zvqp35shvl55yj1dfz8wfvm8q6j8z91n-autogen-5.18.12.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/091ayw06d1r5p67v7wbpiqvbmzik1sgg-gnutls-3.5.10.drv': 14 dependencies couldn't be built
error: build of '/nix/store/091ayw06d1r5p67v7wbpiqvbmzik1sgg-gnutls-3.5.10.drv' failed

@lukateras lukateras changed the title gnutls: provide pure cacert path during configure phase gnutls: add SSL_CERT_FILE Oct 17, 2018
@lukateras
Copy link
Member Author

I've pushed a GnuTLS patch that adds SSL_CERT_FILE environment variable. cc @vcunat

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/5j7rlm3s0vkxy1gifvl8s3h5ik15plnk-gnutls-3.6.2-man/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/5j7rlm3s0vkxy1gifvl8s3h5ik15plnk-gnutls-3.6.2-man
checking for references to /build in /nix/store/5j7rlm3s0vkxy1gifvl8s3h5ik15plnk-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/85g58j33sqh3wlhxqcghnir6kkvvzhdy-gnutls-3.6.2-devdoc...
/nix/store/kdv1v4jpjzjd5ydrndircq2s1dvmhfs8-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnutls

Partial log (click to expand)

gzipping man pages under /nix/store/9zs2c9xrnvmzv6m1l2s16jnflkb7zncq-gnutls-3.6.2-man/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/9zs2c9xrnvmzv6m1l2s16jnflkb7zncq-gnutls-3.6.2-man
checking for references to /build in /nix/store/9zs2c9xrnvmzv6m1l2s16jnflkb7zncq-gnutls-3.6.2-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc
gzipping man pages under /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc
checking for references to /build in /nix/store/35z25yx9cgy946ljjvr3l85k9gkcfs8b-gnutls-3.6.2-devdoc...
/nix/store/jjpsckz9d1q4s7qr12qh7fx9gjbfawlr-gnutls-3.6.2-bin

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: gnutls

Partial log (click to expand)

cannot build derivation '/nix/store/73ppa9k7mqg3gzgckh1ryb95nchbi11v-p11-kit-0.23.14.drv': 5 dependencies couldn't be built
cannot build derivation '/nix/store/4x4q5v337nqhd1b6x09vnkaa0i5vr9f3-bootstrap_cmds-dev-tools-7.0.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/6gyhhmffxc3n3ix3x1wn4s5fqisk7c26-xnu-osx-10.11.6.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/9xa79rfilv70lfgpvd7rvsp5khqhh1kx-IOKit-osx-10.11.6.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/51z57c74fhk499pr7n6bi1ir96ihrcaq-configd-osx-10.8.5.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/0pzdp7frrqjk1511pn1v8ngwrw6y4py2-python-2.7.15.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/na1m677g7g6w2f6kd20p2dhk9x6sadi0-libxml2-2.9.8.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/zvqp35shvl55yj1dfz8wfvm8q6j8z91n-autogen-5.18.12.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/w7imsq40gv8514sfgs9fi1wxhk99l40s-gnutls-3.5.10.drv': 14 dependencies couldn't be built
error: build of '/nix/store/w7imsq40gv8514sfgs9fi1wxhk99l40s-gnutls-3.5.10.drv' failed

Mic92
Mic92 reviewed Oct 17, 2018
View reviewed changes
pkgs/development/libraries/gnutls/ssl-cert-file.patch
r += ret;
#endif

+ char *env = secure_getenv("SSL_CERT_FILE");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you ask upstream to incorporate this patch? Even if they refuse to merge it, we still get a code review from them.

Copy link
Member Author

@lukateras lukateras Oct 17, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, sure, I'll try. However, to make it upstreamable it should probably be under a configure option.

The patch is trivial though, this chunk looks exactly like DEFAULT_TRUST_STORE_FILE above it, other than secure_getenv call.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would it need to be behind a configure option?

Copy link
Member Author

@lukateras lukateras Oct 17, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I gather, upstream has been hostile to including this previously. So I have little faith for it to be included without it being explicitly enabled by a configure flag, if at all.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where was this proposed before?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://guix-devel.gnu.narkive.com/aUu3aCUl/patch-gnu-gnutls-configure-location-of-system-wide-trust-store

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the actual upstream thread where the guix developers talked to gnutls. The gnutls people don't really argue against the patch, they just mention that they think using pkcs11 is a better idea. Not sure if that is applicable for us, if I understand that correctly that needs a central service (hard on non-nixos). But upstream never really said "no that patch is a no-go because...".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes having a service would defeat the motivation we had in the first place.

yorickvP referenced this pull request in serokell/nixpkgs Dec 13, 2018
@lukateras @Lucus16
gnutls: provide pure cacert path during configure phase
e8088d6
@vcunat
Copy link
Member

vcunat commented Apr 22, 2019
edited

I managed to miss this one (well, I can't remember now anyway). We stumbled into this now due to Darwin, and I implemented a slightly different patch (before noticing this PR):

  • (only) NIX_ variable is used, just as we now add it for openssl (that also rules out the question of upstreaming, I believe)
  • it replaces the default trust store instead of adding another one (just as our openssl patch does)

Let me (tentatively) close in favor of #58611

@vcunat vcunat closed this Apr 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@timokau timokau timokau left review comments

@xeji xeji xeji left review comments

Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@lukateras @GrahamcOfBorg @timokau @vcunat @Mic92 @xeji