Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)

From: Anton Altaparmakov <aia21 cam ac uk>
To: Jeffrey Stedfast <fejj ximian com>
Cc: Frederic Crozat <fcrozat mandrakesoft com>, evolution-hackers lists ximian com
Subject: Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
Date: Mon, 23 Aug 2004 22:02:39 +0100 (BST)

On Mon, 23 Aug 2004, Jeffrey Stedfast wrote:

> the OpenSSL code no longer even compiles and is no lonegr available in
> configure.in. that said, I'll add that function call if for some reason
> this code is ever revived, but that is highly doubtful.

Great, thank you.

Best regards,

	Anton

> On Sun, 2004-08-22 at 06:45 +0100, Anton Altaparmakov wrote:
> > On Sat, 21 Aug 2004, Jeffrey Stedfast wrote:
> > > On Thu, 2004-08-19 at 05:05, Anton Altaparmakov wrote:
> > > > On Thu, 2004-08-19 at 09:07, Frederic Crozat wrote:
> > > > > Le jeu 19/08/2004 à 09:54, Anton Altaparmakov a écrit :
> > > > > > Further to my previous post, here is a much improved and this time final
> > > > > > patch replacing the previous one (attached).  It changes the call from:
> > > > > > 
> > > > > > SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/etc/ssl/certs");
> > > > > > 
> > > > > > to:
> > > > > > 
> > > > > > SSL_CTX_set_default_verify_paths(ssl_ctx);
> > > > > > 
> > > > > > Which asks the OpenSSL library to use the default path for the
> > > > > > certificates (configured at compile time when building openssl so on
> > > > > > each distribution it can be different, for suse it is /etc/ssl/certs and
> > > > > > for redhat it is /usr/share/ssl I am told).
> > > > > > 
> > > > > > This thus removes the hardcoded /etc/ssl/certs and is hence much better
> > > > > > and always going to work on a system with a properly installed openssl
> > > > > > library.
> > > > > > 
> > > > > > I know at least some of you Ximian Developers don't like OpenSSL, but
> > > > > > other people, in particular distributions like it, and you will find
> > > > > > that distros always compile evolution with openssl support, like it or
> > > > > > not.  It also happens to work beautifully with my patch so why not
> > > > > > include it?  If you don't use openssl fine, but at least allow everyone
> > > > > > else to use it without having to apply a patch first...  Thank you.
> > > > > 
> > > > > Ahem, I think at least RH, Mdk and Debian are not using OpenSSL enabled
> > > > > Evolution. You should check facts before writing such claims..
> > > > 
> > > > Well, having just checked RedHat 9.0 I can tell you for a fact that both
> > > > RedHat 9.0 and SuSE 9.0/9.1 all use OpenSSL for their Evolution builds. 
> > > > That covers the two largest distributions so my statement was not wrong.
> > > 
> > > OpenSSL is *only* used by OpenLDAP in those distributions. SuSE (which,
> > 
> > Sorry but this is wrong.  Both RedHat 9 and SuSE 9.x Evolution RPMS use 
> > OpenSSL and NOT Mozilla-NSS.  That is how they are built and that is how 
> > they work.  Look at the source and binary rpms, look at what the binary 
> > rpms depend on, use strace to see what libraries are loaded on 
> > evolution startup.  I _have_ done all this and guess what, OpenSSL is 
> > used.
> > 
> > Also, if you were right, how can you explain that adding my patch fixes 
> > the certificates problem when using SuSE 9.0 (I haven't managed to 
> > compile the SuSE 9.1 source rpm for evolution 1.4.6 on SuSE 9.1 yet!), 
> > even though it only touches the Evolution OpenSSL code?
> > 
> > > btw, is part of Novell) uses Mozilla-NSS, as does RedHat 9.0, Fedora
> > > Core 1 & 2, and Mandrake.
> > 
> > I know Ximian and SuSE are now Novell.  We have a full sitelicense for 
> > Novell (because of using Netware extensively) and hence are probably going 
> > to get all Ximian and SuSE products for free.  (-:  (Novell are still 
> > debating exactly what to do there...  So far we know we have full 
> > sitelicenses for the SuSE OpenExchange server but we are waiting to hear 
> > about the rest.)
> > 
> > > OpenSSL will not work for more than just what your patch covers (I'll
> > > look it over on monday) - for starters, the code is unmaintained and
> > > doesn't even compile anymore.
> > 
> > Makes Evolution 1.4.4 work anyway...
> > 
> > Best regards,
> > 
> > 	Anton

-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/

References:
- [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Anton Altaparmakov
- Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Not Zed
- Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Rodney Dawes
- Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Not Zed
- [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Anton Altaparmakov
- Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Frederic Crozat
- Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Anton Altaparmakov
- Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Jeffrey Stedfast
- Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Anton Altaparmakov
- Re: [Improved patch!] Was: Re: [Evolution-hackers] [PATCH] Fix OpenSSL certificate validation in Evolution (1.4.4 and 1.4.6)
  - From: Jeffrey Stedfast

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]