how to make gnutls trust p11-kit's ca-anchors?

Ludwig Nussel ludwig.nussel at
Thu Jul 4 09:06:58 PDT 2013

David Woodhouse wrote:
> On Thu, 2013-07-04 at 15:55 +0200, Stef Walter wrote:
>> On 04.07.2013 14:57, Ludwig Nussel wrote:
>>> I'm currently wiring up p11-kit in openSUSE. One thing I'm currently
>>> struggling with is gnutls. The package is built in a way that makes
>>> p11-kit appear out of the box, ie p11tool --list-all has all root
>>> certificates. How can I make gnutls use them as trust anchors though?
>>> Ie what is the correct URL to pass to e.g gnutls-cli --x509cafile?
>>> Maybe it doesn't work right away because 'p11tool --list-all-trusted'
>>> doesn't list the certs as trusted?
>> Hmmm, Nikos might know off hand, but I'll test it and report back.
>> I know the code to load certificate anchors from the trust module
>> directly is recent. For example, in Fedora is not relying on that
>> feature yet, and instead extract a bundle for gnutls to use. But hope to
>> change that soon.
> Note that GnuTLS didn't automatically detect the OpenSUSE bundle
> in /etc/ssl/ca-bundle.pem until fairly recently (commit 35341565 in
> master). Is that the problem?

No :-) Gnutls on openSUSE has a patch that reads /etc/ssl/certs instead
(patch was rejected upstream). Until a few releases ago we didn't have a
bundle at all. With the introduction of p11-kit I now see the chance to
deprecate both the bundle as well as the directory. So I wanted gnutls to
just talk to p11-kit directly.


  (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

More information about the p11-glue mailing list