[Bug 852713] New: fetchmail does not know the correct certificate path
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c0 Summary: fetchmail does not know the correct certificate path Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: nrickert@ameritech.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 When I use "fetchmail entryname" (where entryname is an entry in my ".fetchmailrc", I am getting a certificate error message. If I use fetchmail --sslcertpath /etc/ssl/certs entryname then it works fine (for the particular entry). Looking at "/etc/ssl/certs", that sure looks like the correct path -- there are lots of certificates there. Is it possible that "fetchmail" was not properly configured for the certificate path before compiling? Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c zhang jiajun <jzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jzhang@suse.com AssignedTo|bnc-team-screening@forge.pr |vcizek@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c1 Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |vcizek@suse.com --- Comment #1 from Vitezslav Cizek <vcizek@suse.com> 2013-11-28 17:25:23 CET --- (In reply to comment #0)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
When I use "fetchmail entryname" (where entryname is an entry in my ".fetchmailrc", I am getting a certificate error message.
If I use fetchmail --sslcertpath /etc/ssl/certs entryname then it works fine (for the particular entry).
Using sslcertpath to /etc/ssl/certs will make a sane default. You can place it to your .fetchmailrc file as well.
Looking at "/etc/ssl/certs", that sure looks like the correct path -- there are lots of certificates there.
Is it possible that "fetchmail" was not properly configured for the certificate path before compiling?
Fetchmail currently doesn't support these compile time settings, but we can easily patch it for sure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c2 --- Comment #2 from Neil Rickert <nrickert@ameritech.net> 2013-11-28 18:21:28 UTC --- I realize that I can add to ".fetchmailrc" I've never had to do that in the past, so something has changed. After reporting this bug, it did occur to me that "fetchmail" was previously using "openssl" defaults. Does "openssl" still have a default, or has that changed? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c3 --- Comment #3 from Vitezslav Cizek <vcizek@suse.com> 2013-11-29 15:45:27 CET --- (In reply to comment #2)
I realize that I can add to ".fetchmailrc"
I've never had to do that in the past, so something has changed.
Your mail server may have changed its certificate. Perhaps it's now self-signed, which will emit the warning.
After reporting this bug, it did occur to me that "fetchmail" was previously using "openssl" defaults. Does "openssl" still have a default, or has that changed?
It's still using SSL_CTX_set_default_verify_paths. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c4 Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #4 from Vitezslav Cizek <vcizek@suse.com> 2013-11-29 16:20:08 CET --- So, apparently there's been a change in openSSL recently, which deprecated the /etc/ssl/certs: ------------------------------------------------------------------- Tue Jul 2 09:02:59 UTC 2013 - lnussel@suse.de - Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991, openssl-1.0.1e-truststore.diff) Ludwig, Apparently the /etc/ssl/certs and the /var/lib/ca-certificates/openssl differ, (eg. on my machine the SUSE CA is only in /etc/ssl/certs) Is this expected? Should the user add it by hand? Or in this case specify using /etc/ssl/certs? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c5 --- Comment #5 from Neil Rickert <nrickert@ameritech.net> 2013-11-29 16:39:04 UTC --- Thanks. That openssl change explains my problem. So I added the certificate I need to "/var/lib/ca-certificates/openssl" and tried again. Still no-go. It looks as if the "c_rehash" script still defaults to using "/etc/ssl/certs". So the move to the new place is incomplete until the "c_rehash" script is fixed to match. I just move the symlink files from the old directory to the new, as a work-around, and now "fetchmail" no longer complains. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c6 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@suse.com | --- Comment #6 from Ludwig Nussel <lnussel@suse.com> 2013-12-09 09:04:24 CET --- (In reply to comment #4)
So, apparently there's been a change in openSSL recently, which deprecated the /etc/ssl/certs:
------------------------------------------------------------------- Tue Jul 2 09:02:59 UTC 2013 - lnussel@suse.de
- Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991, openssl-1.0.1e-truststore.diff)
Ludwig, Apparently the /etc/ssl/certs and the /var/lib/ca-certificates/openssl differ, (eg. on my machine the SUSE CA is only in /etc/ssl/certs) Is this expected?
No. You need to put custom certificates in /etc/pki/trust/anchors resp /usr/share/pki/trust/anchors/, then run update-ca-certificates.
Should the user add it by hand? Or in this case specify using /etc/ssl/certs?
Calling SSL_CTX_set_default_verify_paths() does the right thing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852713 https://bugzilla.novell.com/show_bug.cgi?id=852713#c7 Vitezslav Cizek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |INVALID --- Comment #7 from Vitezslav Cizek <vcizek@suse.com> 2013-12-11 13:54:41 CET --- So there's nothing to be fixed in fetchmail, as it's correctly calling SSL_CTX_set_default_verify_paths. The problem resides within the certificate management. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com