Bug 473458

Summary:	looking in wrong place for root cert
Product:	[Fedora] Fedora	Reporter:	Patrick C. F. Ernzer <pcfe>
Component:	loudmouth	Assignee:	Brian Pepple <bdpepple>
Status:	CLOSED NEXTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	10	CC:	bdpepple, lkundrak, otaylor, sander
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-12-10 04:36:38 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Patrick C. F. Ernzer 2008-11-28 16:07:00 UTC

Description of problem:
loudmouth looks in /etc/ssl/certs/ca-certificates.crt instead of /etc/pki/tls/certs/ca-bundle.crt when verifying SSL certificates.

Version-Release number of selected component (if applicable):
loudmouth-1.4.3

How reproducible:
always

Steps to Reproduce:
1. be sure to circumvent Bug 473436
2. have a jabber account defined as follows;
  - Encryption required: on
  - Ignore SSL cert errors: off
  - server field empty
  - port: 0
  - Use old SSL: off
3. try to connect
  
Actual results:
Network error in GUI
** (telepathy-gabble:5418): DEBUG: _gabble_connection_connect: letting SRV lookup decide server and port
[...]
** (telepathy-gabble:5418): DEBUG: connection_ssl_cb: called: The certificate can not be trusted.


Expected results:
as /etc/pki/tls/certs/ca-bundle.crt is the default location for root certs in Ferdora, loudmouth should check there.

Additional info:
as per irc FreeNode, #telepathy, this is a compile time option, not a setting. As such can you please rebuild?

Comment 1 Patrick C. F. Ernzer 2008-11-28 16:09:38 UTC

forgot to add, verified that it's looking in the wrong place with
# mkdir -p /etc/ssl/certs/
# ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

(took that workaround away again of course as it's ugly)

Comment 2 Brian Pepple 2008-11-28 23:42:33 UTC

(In reply to comment #0)
> as per irc FreeNode, #telepathy, this is a compile time option, not a setting.
> As such can you please rebuild?

What's the configure option for that?  Giving the config file a quick look, I see no option to set the cert location.

Comment 3 Brian Pepple 2008-11-28 23:53:52 UTC

Ok, after digging into this a little further, it looks like setting the cert location is not a config option, and the cert location is hard-coded in lm-ssl-gnutls.c:

#define CA_PEM_FILE "/etc/ssl/certs/ca-certificates.crt"

Comment 4 Fedora Update System 2008-11-29 00:56:39 UTC

loudmouth-1.4.3-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/loudmouth-1.4.3-1.fc10

Comment 5 Patrick C. F. Ernzer 2008-12-01 11:20:03 UTC

(In reply to comment #4)
> loudmouth-1.4.3-1.fc10 has been submitted as an update for Fedora 10.

Confirm 1.4.3-1.fc10 fixes the bug. You can do CLOSED

Comment 6 Brian Pepple 2008-12-01 12:23:12 UTC

re-opening, so bodhi can close it when it's pushed to stable

Comment 7 Fedora Update System 2008-12-03 01:10:04 UTC

loudmouth-1.4.3-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update loudmouth'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-10490

Comment 8 Fedora Update System 2008-12-10 04:36:32 UTC

loudmouth-1.4.3-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.