Hi Adrian, On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote: > > Since version 2.60 the glib-networking TLS database relies on > > GnuTLS's system > > trust store, so not enabling it leads to TLS errors in applications > > depending on > > glib-networking. The raised runtime warning is: > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS > > database: Failed to load system trust store: GnuTLS was not > > configured with a system trust > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > ... > Two questions: > > 1. Is this a valid pkcs11 URI? > > AC_ARG_WITH([default-trust-store-pkcs11], > [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI], > [use the given pkcs11 uri as default trust store])]) >
Yes, I believe so. I simply used the same option as in the Freedesktop Flatpak SDK: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/elements/components/gnutls.bst > 2. Wouldn't the more common case be to use the ca-certificates > package instead of PKCS #11? > I don't know why glib-networking needs to go through gnutls which then needs to query p11-kit. I suppose p11-kit could directly be used, but this is not my call to make. For reference, this is the relevant glib-networking commit: https://gitlab.gnome.org/GNOME/glib-networking/commit/f1c8feee014007cc913b71357acb609f8d1200df Anyway, in my local config I had this: PACKAGECONFIG_append_pn-gnutls = " p11-kit pkcs11-trust-store" PACKAGECONFIG_append_pn-p11-kit = " trust-paths" Without those I would still get TLS errors at runtime. So these 3 options would need to be enabled by default, I'll send a follow-up patch series. Philippe -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core