Bug 114003
Summary: | Evolution fails to recognise a valid SSL/TLS server certificate | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Jon Warbrick <jw35> |
Component: | evolution | Assignee: | Dave Malcolm <dmalcolm> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 9 | CC: | benl, bressers, rbulling, rousseau |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | FC4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-10-22 00:08:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 171511 |
Description
Jon Warbrick
2004-01-21 10:12:56 UTC
Evolution 1.2.2 is a relatively old version, these days. Do similar problems occur for Evolution 1.4.* or later versions? In Evolution 1.5.93 I can select Tools->Settings->Certificates and view Evolution's known certificates that way. Well, Evolution 1.2.2 was the version from RH9 that had the problem. The demise of RH9 and the change to licencing and release arrangements mean that I'm no longer using Red Hat (nor Fedora) for this application so I'm not in a position to test anything more current. One of my colleagues investigated a similar problem with Evolution 1.4.4 and 1.4.6 in the distribution we are now using. In this case the problem was that Evolution's OpenSSL code was not calling SSL_CTX_set_default_verify_paths(ssl_ctx); to select use of OpenSSL's default certificate path. He submitted a patch to the Evolution project but they have declined to include it since the current 1.5 uses a different crypto library be default (though the broken OpenSSL code is still provided, just not built). So it may well be that the problem is fixed in 1.5. This is still a problem in Evolution 1.4.6, as shipped with Fedora Core 2. I hope Fedora chooses to fix this issue in a security errata. Jon Warbrick hit this one on the head. Fedora Core 3 and above avoid this bug by using the Mozilla NSS SSL cert code instead of the unsupported OpenSSL code. However, it would still be worth fixing this, since the problem is well-understood and Fedora Core 2 is still supported. Here is a patch to the spec file that fixes the problem (also see below for the patch referenced in the spec file): --- evolution.spec.dist 2005-03-22 10:02:40.085564332 -0500 +++ evolution.spec 2005-03-22 10:02:44.244035041 -0500 @@ -22,7 +22,7 @@ Name: evolution Version: 1.4.6 -Release: 2 +Release: 2.1.PKR License: GPL BuildRoot: %{_tmppath}/%{name}-%{version}-root URL: http://www.ximian.com/ @@ -60,6 +60,12 @@ # evolution-wombat but it does work to fix the problem Patch500: evolution-wombat-sm.patch +# Fixes openssl certificate negotiation, ximian rejected patch due +# to unsupported state of openssl in evolution. +# http://lists.ximian.com/archives/public/evolution-hackers/2004-August/004222.html +Patch600: evolution-1.4.6-openssl-verify-cert.patch + + Summary: GNOME's next-generation groupware suite Group: Applications/Productivity @@ -162,6 +168,8 @@ #patch500 -p0 -b .wombatsm +%patch600 -p1 -b .openssl-verify-cert + mkdir -p krb5-fakeprefix/include mkdir -p krb5-fakeprefix/lib mkdir -p krb5-fakeprefix/%{_lib} This patch should be put in the file "evolution-1.4.6-openssl-verify-cert.patch": diff -urNp -urNp evolution-1.4.6.old/camel/camel-tcp-stream-openssl.c evolution-1.4.6/camel/camel-tcp-stream-openssl.c --- evolution-1.4.6.old/camel/camel-tcp-stream-openssl.c 2003-03-03 22:53:15.000000000 +0000 +++ evolution-1.4.6/camel/camel-tcp-stream-openssl.c 2004-08-18 15:20:09.282083003 +0100 @@ -735,6 +735,7 @@ open_ssl_connection (CamelService *servi ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); g_return_val_if_fail (ssl_ctx != NULL, NULL); + SSL_CTX_set_default_verify_paths(ssl_ctx); SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, &ssl_verify); ssl = SSL_new (ssl_ctx); SSL_set_fd (ssl, sockfd); Cleanup of bugzilla: resolving this bug as the issue is fixed in current release (FC4), and does not affect FC3. |