I might be oversimplifying but couldn't I get away with simply doing a symlink? Something like this? sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt Worked when I tested. I'd hate to have you guys have to burdened with extra code on my account when the blame should rest on the dated gnutls28 library in the repos, which should be resolved when 12.10 hits. -----Original Message----- From: Mike Miller [mailto:mike.t.miller at gmail.com] On Behalf Of Mike Miller Sent: Thursday, July 19, 2012 1:11 AM To: David Woodhouse Cc: Mcclelland, Michael B Mr CTR USN USA; openconnect-devel at lists.infradead.org Subject: Re: CAC modules On Wed, Jul 18, 2012 at 09:43:38PM +0100, David Woodhouse wrote: > Newer versions of GnuTLS (3.0.20+) have a function which adds the > "system" trust file, gnutls_certificate_set_x509_system_trust(). But > your GnuTLS is older than that, so the OpenConnect code just falls > back to adding /etc/pki/tls/certs/ca-bundle.crt manually. And that > isn't where it is on your distribution. > > I suppose we ought to add some magic in the configure script to *find* > the file in the appropriate location. In the meantime, Mike may wish > to patch it to change the hard-coded location. Sorry, I knew that was > wrong when I did it, but it was part of the *first* commit adding > GnuTLS support (which didn't actually use it to do any verification > yet anyway) and I meant to come back to revisit it... but forgot. Good catch both of you, I'll fix my Debian and Ubuntu builds to use the correct ca-certificates path. So how about something like this for the configure script? Could probably use some polishing but I think it's functionally correct. >From a460a7672f6a011b54e5ffc60bc8372ed9a43d0e Mon Sep 17 00:00:00 2001 From: Mike Miller <mtmiller at ieee.org> Date: Thu, 19 Jul 2012 00:47:32 -0400 Subject: [PATCH] Check for system CA certificate file for GnuTLS Look in certain well-known system paths for the default file to give to gnutls_certificate_set_x509_trust_file() if required. Auto-detection is based on the GnuTLS configure script. Signed-off-by: Mike Miller <mtmiller at ieee.org> --- configure.ac | 32 ++++++++++++++++++++++++++++++++ gnutls.c | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c067276..30ed5c8 100644 --- a/configure.ac +++ b/configure.ac @@ -179,6 +179,10 @@ if test "$USE_NLS" = "yes"; then fi AM_CONDITIONAL(USE_NLS, [test "$USE_NLS" = "yes"]) +AC_ARG_WITH([system-cafile], + AS_HELP_STRING([--with-system-cafile], + [Location of the default system CA certificate file])) + # We will use GnuTLS if it's requested, and if GnuTLS doesn't have DTLS # support then we'll *also* use OpenSSL for that, but it appears *only* # only in the openconnect executable and not the library (hence shouldn't @@ -209,6 +213,34 @@ if test "$with_gnutls" = "yes"; then [AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1)], []) AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust, [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], []) + if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" != "yes"; then + # We will need to tell GnuTLS the path to the system CA file. + if test "$with_system_cafile" = "yes" || test "$with_system_cafile" = ""; then + # Auto-detect path to the system CA file, based on GnuTLS. + with_system_cafile= + for i in \ + /etc/ssl/certs/ca-certificates.crt \ + /etc/pki/tls/cert.pem \ + /usr/local/share/certs/ca-root-nss.crt + do + if test -e $i; then + with_system_cafile="$i" + break + fi + done + elif test "$with_system_cafile" = "no"; then + AC_MSG_ERROR([You cannot disable the system CA certificate file.]) + fi + if test "$with_system_cafile" = ""; then + AC_MSG_ERROR([Unable to find a standard system CA certificate file.] + [Your GnuTLS requires a path to a CA certificate store. Most distributions] + [ship with a CA certificate file in a standard location. None of the known] + [standard locations exist on your system. You should provide a] + [--with-system-cafile= argument to this configure script, giving the full] + [path to a default CA certificate file for GnuTLS to use.]) + fi + AC_DEFINE_UNQUOTED([DEFAULT_SYSTEM_CAFILE], ["$with_system_cafile"]) + fi AC_CHECK_FUNC(gnutls_pkcs12_simple_parse, [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], []) AC_CHECK_FUNC(gnutls_certificate_set_key, diff --git a/gnutls.c b/gnutls.c index 42f709a..d9e550d 100644 --- a/gnutls.c +++ b/gnutls.c @@ -1751,7 +1751,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo) gnutls_certificate_set_x509_system_trust(vpninfo->https_cred); #else gnutls_certificate_set_x509_trust_file(vpninfo->https_cred, - "/etc/pki/tls/certs/ca-bundle.crt", + DEFAULT_SYSTEM_CAFILE, GNUTLS_X509_FMT_PEM); #endif gnutls_certificate_set_verify_function (vpninfo->https_cred, -- 1.7.10.4
