#52508: gnutls @3.4.15 should rely on p11-kit for trust store ----------------------------------+---------------------- Reporter: leonardo.schenkel@… | Owner: mps@… Type: defect | Status: reopened Priority: Normal | Milestone: Component: ports | Version: 2.3.4 Resolution: | Keywords: haspatch Port: gnutls | ----------------------------------+---------------------- Comment (by leonardo.schenkel@…): I found the issue. It was my fault due to an oversight of my part. The problem is that when explicitly calling `--with-default-trust-store- pkcs11` without any arguments the configure script sets the value to `yes`, but later the `gnutls` code uses that value as a URI to initialize the trust store. `"yes"` being an invalid URI would cause no existing module to match and the trust store was initialized as empty. The correct way is to pass `--with-default-trust-store-pkcs11=pkcs11:` to the configure script which means that all available p11-kit modules (marked with `trust-policy: yes`) will match. By default that will at least contain `p11-kit-trust`, which in MacPorts is configured to use the `curl-ca-bundle`. I have tested this locally with `gnutls-cli` and `wget` and `curl` (with `+gnutls`) against the reported site and a number of other sites and everything works correctly now. I'm updating the patch with the fix and I apologize once more for the inconvenience. Next time I'll be more careful and test more thoroughly. -- Ticket URL: <https://trac.macports.org/ticket/52508#comment:10> MacPorts <https://www.macports.org/> Ports system for the Mac operating system