http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c1 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |vuntz@novell.com --- Comment #1 from Ludwig Nussel 2010-04-08 09:15:48 CEST --- I need to fix the documentation instead :-) I've intentionally changed the file name to /etc/ssl/ca-bundle.pem as /etc/ssl/cert.pem seems to be compiled into several programs. They then prefer the file over the directory /etc/ssl/certs which is the wrong way around. We didn't have any bundle file before so epiphany not working is due to bug 594434 I guess? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c3 --- Comment #3 from Ludwig Nussel 2010-04-08 11:13:41 CEST --- (In reply to comment #2)

Hrm, I guess I'm misunderstanding something: why is it wrong to prefer the file over /etc/ssl/certs if both are updated with update-ca-certificates?

It's not directly wrong but I'd still recommend not using it. openssl for example doesn't need to load all certificates into memory when using the directory so the directory should be preferred.

Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)

Is ca-certificates-mozilla installed?

As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part.

Does epiphany use openssl or gnutls? In case of openssl just make it call SSL_CTX_set_default_verify_paths(). gnutls unfortunately doesn't support directories itself so the cheap solution there indeed is to use the bundle file (won't work on older openSUSE though) or just load /etc/ssl/certs/*.pem manually. libpurple does that. OTOH if we'd make all gnutls programs use the bundle I could switch /etc/ssl/certs to use certificiates with openssl trust bits. gnutls currently doesn't support such trusted certificates so the system certificates are restricted to ones trusted for "serverAuth" only. See also https://bugzilla.redhat.com/show_bug.cgi?id=466626#c18 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c5 --- Comment #5 from Ludwig Nussel 2010-04-08 13:43:58 CEST --- (In reply to comment #4)

(In reply to comment #3)

...

(In reply to comment #2)

...

Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)

Is ca-certificates-mozilla installed?

Yes. Anything I can do to debug?

...

...

As for epiphany: it's a build time option. Right now, we pass --without-ca-file

Provided the package installed correctly and it's files are present in /usr/share/ca-certificates/mozilla/ a call to "update-ca-certificates -f" should restore the symlinks in /etc/ssl/certs and generate the bundle. If that doesn't help some strategic print commands in the script are needed :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c7 --- Comment #7 from Ludwig Nussel 2010-04-08 14:28:14 CEST --- The actual bundle is generated by /etc/ca-certificates/update.d/certbundle.run -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c9 --- Comment #9 from Ludwig Nussel 2010-04-08 15:09:51 CEST --- argl. It's not packaged. Do'h! will fix. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c11 --- Comment #11 from Bernhard Wiedemann --- This is an autogenerated message for OBS integration: This bug (594501) was mentioned in https://build.opensuse.org/request/show/37898 Factory / ca-certificates -- You are receiving this mail because: You are on the CC list for the bug.