From bc3c41ce36349ed4ec758c70b48a7059e363043a Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 7 Nov 2016 23:07:08 +0100 Subject: download: Verify TLS certificates unless asked not to. Fixes . Reported by Leo Famulari . * guix/build/download.scm (%x509-certificate-directory): New variable. (make-credendials-with-ca-trust-files, peer-certificate) (assert-valid-server-certificate, print-tls-certificate-error): New procedures. Add 'print-tls-certificate-error' as an exception printer for 'tls-certificate-error'. (tls-wrap): Add #:verify-certificate? parameter and honor it. (open-connection-for-uri): Likewise. (http-fetch): Likewise. (url-fetch): Likewise. * guix/download.scm (url-fetch)[builder]: Pass #:verify-certificate? #f. * guix/scripts/lint.scm (probe-uri): Add case for 'tls-certificate-error'. (validate-uri): Likewise. * doc/guix.texi (Invoking guix download): Mention 'SSL_CERT_DIR'. --- guix/scripts/lint.scm | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'guix/scripts') diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index d6281eae64..049c297224 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -369,7 +369,8 @@ for connections to complete; when TIMEOUT is #f, wait as long as needed." ;; This can happen if the server returns an invalid HTTP header, ;; as is the case with the 'Date' header at sqlite.org. (values 'invalid-http-response #f)) - ((getaddrinfo-error system-error gnutls-error) + ((getaddrinfo-error system-error + gnutls-error tls-certificate-error) (values key args)) (else (apply throw key args)))))) @@ -457,6 +458,15 @@ suspiciously small file (~a bytes)") (cons status argument)))) field) #f) + ((tls-certificate-error) + (emit-warning package + (format #f + (_ "TLS certificate error: ~a") + (call-with-output-string + (lambda (port) + (print-exception port #f + 'tls-certificate-error + argument)))))) ((invalid-http-response gnutls-error) ;; Probably a misbehaving server; ignore. #f) -- cgit v1.2.3