[Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)

[Anton Altaparmakov <aia21 cam ac uk>]

Further to my previous post, here is a much improved and this time final
patch replacing the previous one (attached).  It changes the call from:

SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/etc/ssl/certs");

to:

SSL_CTX_set_default_verify_paths(ssl_ctx);

Which asks the OpenSSL library to use the default path for the
certificates (configured at compile time when building openssl so on
each distribution it can be different, for suse it is /etc/ssl/certs and
for redhat it is /usr/share/ssl I am told).

This thus removes the hardcoded /etc/ssl/certs and is hence much better
and always going to work on a system with a properly installed openssl
library.

I know at least some of you Ximian Developers don't like OpenSSL, but
other people, in particular distributions like it, and you will find
that distros always compile evolution with openssl support, like it or
not.  It also happens to work beautifully with my patch so why not
include it?  If you don't use openssl fine, but at least allow everyone
else to use it without having to apply a patch first...  Thank you.

On Thu, 2004-08-19 at 05:02, Not Zed wrote:
> The code is still there, it just isn't built.
> 
> On Thu, 2004-08-19 at 00:01 -0400, Rodney Dawes wrote: 
> > The openssl bits were removed from 1.5 a long time ago, so this patch
> > isn't going in there.
> > 
> > -- dobey
> > 
> > On Thu, 2004-08-19 at 10:12 +0800, Not Zed wrote:
> > > On Wed, 2004-08-18 at 17:03 +0100, Anton Altaparmakov wrote: 
> > > > Hi,
> > > > 
> > > > I spent most of today trying to figure out why Evolution would report
> > > > "Unable to get issuer's certificate locally" when trying to access our
> > > > IMAP server.  This has been a long standing problem for us here at the
> > > > University of Cambridge, UK.  Google revealed that this is a commonly
> > > > encountered problem and at least one Evolution developer boldly stated
> > > > that "it is not Evolution's problem, it must be OpenSSL or other bug"
> > > > but I am afraid it is an Evolution bug after all.
> > > 
> > > OpenSSL isn't a supported means of using SSL in Evolution.
> > > 
> > > But i don't see why the patch can't go in pending a comment from Jeff
> > > (who's on leave this week).  We'll only put it in evolution 1.5
> > > though.

Best regards,

	Anton
-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/, http://www-stu.christs.cam.ac.uk/~aia21/

diff -urNp -urNp evolution-1.4.6.old/camel/camel-tcp-stream-openssl.c evolution-1.4.6/camel/camel-tcp-stream-openssl.c
--- evolution-1.4.6.old/camel/camel-tcp-stream-openssl.c	2003-03-03 22:53:15.000000000 +0000
+++ evolution-1.4.6/camel/camel-tcp-stream-openssl.c	2004-08-18 15:20:09.282083003 +0100
@@ -735,6 +735,7 @@ open_ssl_connection (CamelService *servi
 	ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
 	g_return_val_if_fail (ssl_ctx != NULL, NULL);
 	
+	SSL_CTX_set_default_verify_paths(ssl_ctx);
 	SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, &ssl_verify);
 	ssl = SSL_new (ssl_ctx);
 	SSL_set_fd (ssl, sockfd);