Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
GNUTLS_CONF_OPTS += --without-zlib
endif
+# Provide a default CA cert location
+ifeq ($(BR2_PACKAGE_P11_KIT),y)
+GNUTLS_CONF_OPTS += --with-default-trust-store-pkcs11=pkcs11:model=p11-kit-trust
+else ifeq ($(BR2_PACKAGE_CA_CERTIFICATES),y)
+GNUTLS_CONF_OPTS += --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
+endif
+
$(eval $(autotools-package))
projects / buildroot.git / commitdiff