-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL_CERT_FILE should be in systemd.globalEnvironment (See #8247 instead) #8486
Comments
Sounds reasonable to me. Related: #8247. |
I'm not sure. In general, the global systemd environment should be kept small, just like the default $PATH should be kept small, for these reasons:
|
In this particular case, the value of SSL_CERT_FILE is not supposed to change. It is a static path, independent of the cacert & co derivations. Therefore not a real dependency. I stumbled into this problem when trying to write a systemd service+timer for urlwatch (python2), and could not understand why certificate validation failed in the service while it worked perfectly from the shell. This is indeed a problem with SSL_CERT_FILE and how packages find certificates. Bottom line: We better first take a decision about cacert and SSL_CERT_FILE (secure enough, etc...) and then come back to this issue later. |
Why isn't that path hard-coded in the executable then ? I'm asking because this SSL_CERT_FILE environment variable is causing issues on Darwin. |
I thought the point of |
In general I think that it's preferable to have a single central CA store per system in order to have consistent access to SSL resources. For example if my organisation depends on a self-generated CA for internal services, the sysadmin/user wants to be able to install it once per machine. If we introduce our own SSL_CERT_FILE it means that maybe Safari is going to work but then when the developer goes in the shell and runs curl it's not going to work. The SSL_CERT_FILE is only installed when the nss-cacert package is installed so I removed it for now. |
Okay, I think I figured out the bottom of this issue. The normal behaviour is to have the path to the SSL_CERT_FILE hardcoded into the executable. However, python has has no hardcoded path, hence the need to always have SSL_CERT_FILE defined in its environment for ssl to work properly. Proof (kinda :-)) $ echo $SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt $ readlink /etc/ssl/certs/ca-certificates.crt /etc/static/ssl/certs/ca-certificates.crt $ readlink /etc/static/ssl/certs/ca-certificates.crt /nix/store/vnwwmdmw1895ilipj5lykps83hfrdyhp-ca-bundle.crt $ python3 Python 3.4.4 (default, Dec 21 2015, 06:01:07) [GCC 4.9.3] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl.get_default_verify_paths() DefaultVerifyPaths( cafile='/etc/ssl/certs/ca-certificates.crt', capath='/nix/store/ik8d2g12y2hj5y4k32ca3cgm53v3h0va-openssl-1.0.1q/etc/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/nix/store/ik8d2g12y2hj5y4k32ca3cgm53v3h0va-openssl-1.0.1q/etc/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/nix/store/ik8d2g12y2hj5y4k32ca3cgm53v3h0va-openssl-1.0.1q/etc/ssl/certs') $ unset SSL_CERT_FILE $ python3 Python 3.4.4 (default, Dec 21 2015, 06:01:07) [GCC 4.9.3] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl.get_default_verify_paths() DefaultVerifyPaths( cafile=None, capath='/nix/store/ik8d2g12y2hj5y4k32ca3cgm53v3h0va-openssl-1.0.1q/etc/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/nix/store/ik8d2g12y2hj5y4k32ca3cgm53v3h0va-openssl-1.0.1q/etc/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/nix/store/ik8d2g12y2hj5y4k32ca3cgm53v3h0va-openssl-1.0.1q/etc/ssl/certs') By the way,
Similar issue happened on other linux distros. @zimbatm, it seems you are right, this should be hardcoded in the executable, but how ? So, how the hell do apps find their SSL config ? (#8247) cc @4levels, for the similar issue reported on the mailing list |
I am now able to tell where openssl finds its default certificates. Python relies on openssl defaults when using the ssl module. If we want to define once and for all the certificate store store, whe should probably modify it. That being said, the variable is set to As a side note, the requests module is unaffected because it comes with its own certificates... |
In NixOS,
|
Closing this issue as this is probably not the best way to go, and too keep the discussion in #8247. |
Any service that uses SSL will need this variable.
A look to the current usage shows that SSL_CERT_FILE is indeed imported in some service files, but not correctly defined (search for environment.SSL_CERT_FILE).
One would expect
instead of
{ environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; }
.currently, the only environment variable in globalEnvironment is TZDIR. It seems to me that SSL_CERT_FILE is just as "global" as TZDIR.
I am ready to submit a pull-request if this sounds acceptable.
[EDIT] s/TZ_DATA/TZDIR/
The text was updated successfully, but these errors were encountered: