GNOME Bugzilla – Bug 796702
glib-networking only uses the system trust, which breaks Android and iOS certificate stores
Last modified: 2018-11-03 10:23:54 UTC
We had been carrying a patch to glib-networking to allow apps to set the certificate store at runtime with the CA_CERTIFICATES env var. Upstream has removed this in the 2.57.x development releases, and we need to work with them to add new API that allows us to set the default store location at runtime. Upstream bug: https://gitlab.gnome.org/GNOME/glib-networking/issues/35
Created attachment 373510 [details] [review] recipes/glib: add API to set the default TLS database With this the default database can be set using something like: GTlsBackend *backend = g_tls_backend_get_default (); GTlsDatabase *db = g_tls_file_database_new ("/path/to/cert/list/file", &error); g_tls_backend_set_default_database (backend, db);
To emulate the old method of setting the store at runtime with CA_CERTIFICATES=/path/to/foo where can we call that? Presumably we still have to carry a custom patch for glib-networking?
I've been testing by adding the necessary code in the application. It would be nice not to have to care about the backwards compatibility thing :). For android it can be placed inside the generated gstreamer_android.c alongside the CA_CERTIFICATES path generation. iOS doesn't have any generated files so that would need to be either added to the app itself or to some strategic place in each ssl backend (gnutls, openssl, schannel, android, secure-transport, etc). I'd be in favour of simply dropping it.
Telling the app to set it sounds fine to me.
For iOS we have the gst_ios_main.m, could it be done from there?
Yes, however that's shipped individually with every app and not generated so would need to be updated for every app. I'm fine that that as well.
apps need to update that anyway to get the latest, correct list of plugins
Created attachment 373512 [details] [review] glib.recipe: Add new API for setting the GTls database This has been submitted and accepted upstream: https://gitlab.gnome.org/GNOME/glib/merge_requests/273
Now what's remaining is updating the documentation? Attachment 373512 [details] pushed as e252676 - glib.recipe: Add new API for setting the GTls database
Created attachment 373679 [details] [review] android/ndk-build: update for glib tls API additions
commit a368b18a70c5be2c6ae0c00a9d7e7492e091764b Author: Matthew Waters <matthew@centricular.com> Date: Tue Sep 18 16:54:38 2018 +1000 android/ndk-build: update for glib tls API additions The previously used GStreamer custom custom patch to load certificate files from the CA_CERTIFICATES environment variable is no longer effective with glib-networking 2.58 and instead API was added to the upcoming glib 2.60 release (backported to glib 2.58 in GStreamer's cerbero) to set the default TLS database. This patch makes use of the new API to set the default TLS database and behaves similarly as the previous CA_CERTIFICATES environment variable. https://bugzilla.gnome.org/show_bug.cgi?id=796702
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/gstreamer/cerbero/issues/64.