Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)

[Anton Altaparmakov <aia21 cam ac uk>]

On Sat, 21 Aug 2004, Jeffrey Stedfast wrote:
> On Thu, 2004-08-19 at 05:05, Anton Altaparmakov wrote:
> > On Thu, 2004-08-19 at 09:07, Frederic Crozat wrote:
> > > Le jeu 19/08/2004 à 09:54, Anton Altaparmakov a écrit :
> > > > Further to my previous post, here is a much improved and this time final
> > > > patch replacing the previous one (attached).  It changes the call from:
> > > > 
> > > > SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/etc/ssl/certs");
> > > > 
> > > > to:
> > > > 
> > > > SSL_CTX_set_default_verify_paths(ssl_ctx);
> > > > 
> > > > Which asks the OpenSSL library to use the default path for the
> > > > certificates (configured at compile time when building openssl so on
> > > > each distribution it can be different, for suse it is /etc/ssl/certs and
> > > > for redhat it is /usr/share/ssl I am told).
> > > > 
> > > > This thus removes the hardcoded /etc/ssl/certs and is hence much better
> > > > and always going to work on a system with a properly installed openssl
> > > > library.
> > > > 
> > > > I know at least some of you Ximian Developers don't like OpenSSL, but
> > > > other people, in particular distributions like it, and you will find
> > > > that distros always compile evolution with openssl support, like it or
> > > > not.  It also happens to work beautifully with my patch so why not
> > > > include it?  If you don't use openssl fine, but at least allow everyone
> > > > else to use it without having to apply a patch first...  Thank you.
> > > 
> > > Ahem, I think at least RH, Mdk and Debian are not using OpenSSL enabled
> > > Evolution. You should check facts before writing such claims..
> > 
> > Well, having just checked RedHat 9.0 I can tell you for a fact that both
> > RedHat 9.0 and SuSE 9.0/9.1 all use OpenSSL for their Evolution builds. 
> > That covers the two largest distributions so my statement was not wrong.
> 
> OpenSSL is *only* used by OpenLDAP in those distributions. SuSE (which,

Sorry but this is wrong.  Both RedHat 9 and SuSE 9.x Evolution RPMS use 
OpenSSL and NOT Mozilla-NSS.  That is how they are built and that is how 
they work.  Look at the source and binary rpms, look at what the binary 
rpms depend on, use strace to see what libraries are loaded on 
evolution startup.  I _have_ done all this and guess what, OpenSSL is 
used.

Also, if you were right, how can you explain that adding my patch fixes 
the certificates problem when using SuSE 9.0 (I haven't managed to 
compile the SuSE 9.1 source rpm for evolution 1.4.6 on SuSE 9.1 yet!), 
even though it only touches the Evolution OpenSSL code?

> btw, is part of Novell) uses Mozilla-NSS, as does RedHat 9.0, Fedora
> Core 1 & 2, and Mandrake.

I know Ximian and SuSE are now Novell.  We have a full sitelicense for 
Novell (because of using Netware extensively) and hence are probably going 
to get all Ximian and SuSE products for free.  (-:  (Novell are still 
debating exactly what to do there...  So far we know we have full 
sitelicenses for the SuSE OpenExchange server but we are waiting to hear 
about the rest.)

> OpenSSL will not work for more than just what your patch covers (I'll
> look it over on monday) - for starters, the code is unmaintained and
> doesn't even compile anymore.

Makes Evolution 1.4.4 work anyway...

Best regards,

	Anton
-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/