[MacPorts] #52508: gnutls @3.4.15 should rely on p11-kit for trust store
MacPorts
noreply at macports.org
Fri Oct 7 19:57:38 CEST 2016
#52508: gnutls @3.4.15 should rely on p11-kit for trust store
----------------------------------+----------------------
Reporter: leonardo.schenkel@… | Owner: mps@…
Type: defect | Status: reopened
Priority: Normal | Milestone:
Component: ports | Version: 2.3.4
Resolution: | Keywords: haspatch
Port: gnutls |
----------------------------------+----------------------
Comment (by leonardo.schenkel@…):
I found the issue. It was my fault due to an oversight of my part.
The problem is that when explicitly calling `--with-default-trust-store-
pkcs11` without any arguments the configure script sets the value to
`yes`, but later the `gnutls` code uses that value as a URI to initialize
the trust store. `"yes"` being an invalid URI would cause no existing
module to match and the trust store was initialized as empty.
The correct way is to pass `--with-default-trust-store-pkcs11=pkcs11:` to
the configure script which means that all available p11-kit modules
(marked with `trust-policy: yes`) will match. By default that will at
least contain `p11-kit-trust`, which in MacPorts is configured to use the
`curl-ca-bundle`.
I have tested this locally with `gnutls-cli` and `wget` and `curl` (with
`+gnutls`) against the reported site and a number of other sites and
everything works correctly now.
I'm updating the patch with the fix and I apologize once more for the
inconvenience. Next time I'll be more careful and test more thoroughly.
--
Ticket URL: <https://trac.macports.org/ticket/52508#comment:10>
MacPorts <https://www.macports.org/>
Ports system for the Mac operating system
More information about the macports-tickets
mailing list