how to make gnutls trust p11-kit's ca-anchors?

Stef Walter stef at
Wed Jul 10 22:50:46 PDT 2013

On 04.07.2013 18:08, Ludwig Nussel wrote:
> Stef Walter wrote:
>> On 04.07.2013 16:19, David Woodhouse wrote:
>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>> trust
>>>> URL by default without every app having to specify it?
>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>> Bingo. Thanks.
> That's exactly how I would like to have gnutls configured on openSUSE
> by default. I'll try your gnutls patch. Thanks!

One thing to note is that gnutls only looks up anchors, and doesn't
check blacklists. That's fine, it's a good start.

But if you use 'p11-kit extract --filter=ca-anchors' (or similar) it'll
at least remove blacklisted anchors from the extracted data. So there's
sligthly different behavior when gnutls uses an extracted bundle, as
opposed to reading anchors directly from 'pkcs11:'

In order to get gnutls retrieving blacklists, we need to finish up the
data model. I just posted about one of the last big issues with that
(the layering) and hope to have it tied up soon, so we can implement it
in gnutls.



More information about the p11-glue mailing list