[Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)

From: Anton Altaparmakov <aia21 cam ac uk>
To: evolution-hackers lists ximian com, adrian suse de, hhetter suse de, sbrabec suse cz, mmj suse de
Cc: Unix Support <unix-support ucs cam ac uk>
Subject: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
Date: Wed, 18 Aug 2004 17:03:01 +0100

Hi,

I spent most of today trying to figure out why Evolution would report
"Unable to get issuer's certificate locally" when trying to access our
IMAP server.  This has been a long standing problem for us here at the
University of Cambridge, UK.  Google revealed that this is a commonly
encountered problem and at least one Evolution developer boldly stated
that "it is not Evolution's problem, it must be OpenSSL or other bug"
but I am afraid it is an Evolution bug after all.

I finally determined that Evolution is failing to specify the directory
where OpenSSL will look for certificates and hence of course the
verification of the certificate fails.

I have attached a patch which does this and Evolution now correctly
verifies the certificate of our IMAP server automatically.

The patch is against Evolution 1.4.4 and 1.4.6 (the modified file,
camel/camel-tcp-stream-openssl.c is identical in both these versions of
Evolution).

Note, these are the versions as found on SuSE 9.0 and 9.1, respectively
and the patch hardcodes the certificate path to be /etc/ssl/certs as is
found on SuSE systems.  I do not know whether this path is the same on
other distributions, perhaps the correct solution is to be able to
modify the path using ./configure...

Anyway, at least on SuSE, please apply this patch to the main evolution
distribution and to the SuSE 9.0 and 9.1 distributions as an update. 
Without it, no-one can use Evolution safely in an SSL environment as one
is forced to accept an unverified certificate if one wants to get to
ones mail using SSL which defeats the whole point of SSL certificates
and allows man in the middle attacks.

Best regards,

	Anton
-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/, http://www-stu.christs.cam.ac.uk/~aia21/

diff -urNp -urNp evolution-1.4.6.old/camel/camel-tcp-stream-openssl.c evolution-1.4.6/camel/camel-tcp-stream-openssl.c
--- evolution-1.4.6.old/camel/camel-tcp-stream-openssl.c	2003-03-03 22:53:15.000000000 +0000
+++ evolution-1.4.6/camel/camel-tcp-stream-openssl.c	2004-08-18 15:20:09.282083003 +0100
@@ -735,6 +735,9 @@ open_ssl_connection (CamelService *servi
 	ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
 	g_return_val_if_fail (ssl_ctx != NULL, NULL);
 	
+	/* Attempt to set the local certificate store. */
+	SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/etc/ssl/certs");
+
 	SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, &ssl_verify);
 	ssl = SSL_new (ssl_ctx);
 	SSL_set_fd (ssl, sockfd);

Follow-Ups:
- Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Not Zed

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]