WARNING: gnome-keyring ??

Phil Pennock help-gnutls-phil at spodhuis.org
Thu Nov 8 08:14:22 CET 2012 

On 2012-11-07 at 10:10 +0100, Nikos Mavrogiannopoulos wrote:
> The warning on stderr shouldn't have been there. A module that is
> being loaded should either succeed loading or fail with a return code.
> However this is not under my control to suppress. The PKCS #11 support
> (this is about smart cards) is transparent and system wide because we
> want all applications that use gnutls to be able to use smart cards
> transparently (e.g. you can load your private key from a smart card
> the same way you'd load it from a file).

This doesn't make sense in all cases; for system daemons, mostly not,
and Exim does TLS init at start-up, to validate the config.  So we got
user complaints when I released 4.80 in May with my changes to overhaul
the GnuTLS integration.  I wrote the fix below a few months back and it
will be part of 4.82 (whenever that's released).  Perhaps this approach
is of use to others?

I introduced an Exim config option "gnutls_enable_pkcs11" which defaults
false.  Then the code in the GnuTLS binding has:

----------------------------8< cut here >8------------------------------
#ifdef HAVE_GNUTLS_PKCS11
  /* By default, gnutls_global_init will init PKCS11 support in auto mode,
  which loads modules from a config file, which sounds good and may be wanted
  by some sysadmin, but also means in common configurations that GNOME keyring
  environment variables are used and so breaks for users calling mailq.
  To prevent this, we init PKCS11 first, which is the documented approach. */
  if (!gnutls_enable_pkcs11)
    {
    rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
    exim_gnutls_err_check(US"gnutls_pkcs11_init");
    }
#endif
----------------------------8< cut here >8------------------------------

exim_gnutls_err_check() is a macro checking rc against GNUTLS_E_SUCCESS.

If memory serves, this was well documented by GnuTLS; I just hadn't
known of the interaction of environment variables with GUI-drivers for
some modules.

If we ever have Exim daemons which need pkcs11 support and folks still
want to run mailq with GNOME_* environment variables set, I may have to
start inhibiting the start-up TLS check for some cases.

More information about the Gnutls-help mailing list