Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)



the OpenSSL code no longer even compiles and is no lonegr available in
configure.in. that said, I'll add that function call if for some reason
this code is ever revived, but that is highly doubtful.

Jeff

On Sun, 2004-08-22 at 06:45 +0100, Anton Altaparmakov wrote:
> On Sat, 21 Aug 2004, Jeffrey Stedfast wrote:
> > On Thu, 2004-08-19 at 05:05, Anton Altaparmakov wrote:
> > > On Thu, 2004-08-19 at 09:07, Frederic Crozat wrote:
> > > > Le jeu 19/08/2004 à 09:54, Anton Altaparmakov a écrit :
> > > > > Further to my previous post, here is a much improved and this time final
> > > > > patch replacing the previous one (attached).  It changes the call from:
> > > > > 
> > > > > SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/etc/ssl/certs");
> > > > > 
> > > > > to:
> > > > > 
> > > > > SSL_CTX_set_default_verify_paths(ssl_ctx);
> > > > > 
> > > > > Which asks the OpenSSL library to use the default path for the
> > > > > certificates (configured at compile time when building openssl so on
> > > > > each distribution it can be different, for suse it is /etc/ssl/certs and
> > > > > for redhat it is /usr/share/ssl I am told).
> > > > > 
> > > > > This thus removes the hardcoded /etc/ssl/certs and is hence much better
> > > > > and always going to work on a system with a properly installed openssl
> > > > > library.
> > > > > 
> > > > > I know at least some of you Ximian Developers don't like OpenSSL, but
> > > > > other people, in particular distributions like it, and you will find
> > > > > that distros always compile evolution with openssl support, like it or
> > > > > not.  It also happens to work beautifully with my patch so why not
> > > > > include it?  If you don't use openssl fine, but at least allow everyone
> > > > > else to use it without having to apply a patch first...  Thank you.
> > > > 
> > > > Ahem, I think at least RH, Mdk and Debian are not using OpenSSL enabled
> > > > Evolution. You should check facts before writing such claims..
> > > 
> > > Well, having just checked RedHat 9.0 I can tell you for a fact that both
> > > RedHat 9.0 and SuSE 9.0/9.1 all use OpenSSL for their Evolution builds. 
> > > That covers the two largest distributions so my statement was not wrong.
> > 
> > OpenSSL is *only* used by OpenLDAP in those distributions. SuSE (which,
> 
> Sorry but this is wrong.  Both RedHat 9 and SuSE 9.x Evolution RPMS use 
> OpenSSL and NOT Mozilla-NSS.  That is how they are built and that is how 
> they work.  Look at the source and binary rpms, look at what the binary 
> rpms depend on, use strace to see what libraries are loaded on 
> evolution startup.  I _have_ done all this and guess what, OpenSSL is 
> used.
> 
> Also, if you were right, how can you explain that adding my patch fixes 
> the certificates problem when using SuSE 9.0 (I haven't managed to 
> compile the SuSE 9.1 source rpm for evolution 1.4.6 on SuSE 9.1 yet!), 
> even though it only touches the Evolution OpenSSL code?
> 
> > btw, is part of Novell) uses Mozilla-NSS, as does RedHat 9.0, Fedora
> > Core 1 & 2, and Mandrake.
> 
> I know Ximian and SuSE are now Novell.  We have a full sitelicense for 
> Novell (because of using Netware extensively) and hence are probably going 
> to get all Ximian and SuSE products for free.  (-:  (Novell are still 
> debating exactly what to do there...  So far we know we have full 
> sitelicenses for the SuSE OpenExchange server but we are waiting to hear 
> about the rest.)
> 
> > OpenSSL will not work for more than just what your patch covers (I'll
> > look it over on monday) - for starters, the code is unmaintained and
> > doesn't even compile anymore.
> 
> Makes Evolution 1.4.4 work anyway...
> 
> Best regards,
> 
> 	Anton
> -- 
> Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
> Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
> Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
> WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/
-- 
Jeffrey Stedfast
Evolution Hacker - Novell, Inc.
fejj ximian com  - www.novell.com

Attachment: smime.p7s
Description: S/MIME cryptographic signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]