'FIX: SSL in claws-mail'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-ports
Subject:    FIX: SSL in claws-mail
From:       Edd Barrett <edd () theunixzoo ! co ! uk>
Date:       2016-07-31 11:52:03
Message-ID: 20160731115203.GC44264 () wilfred ! dlink ! com
[Download RAW message or body]

Hi,

I noticed a while back that claws-mail never accepts GMail's SSL
certificate, which is super fishy. Its warns that the certificate is
"unknown".

It turns out there are two details regarding this:

1) By default claws will always ask you about certificates for which you
didn't explicitly add a certificate file for (I think).

2) There is an option in the accounts settings "automatically accept
valid SSL certificates". Off by default. If you turn it on, claws should
use the system root CAs to validate certificates.

As I see it the warning I mentioned should only appear if:

 * "auto-accept" is OFF, or
 * "auto-accept" is ON, but verification of the cert failed.

Currently the warning is always shown. The reason is that our cert.pem
path is not included in claws' search. This patch fixes this (and
regenerates an out-of-date patch).

Can someone check all of my logic, and if it looks good, give an OK?

(BTW, IIRC, sylpheed has the same or a similar issue).


Index: Makefile
===================================================================
RCS file: /home/edd/cvsync/ports/mail/claws-mail/Makefile,v
retrieving revision 1.89
diff -u -p -r1.89 Makefile
--- Makefile	9 Jul 2016 08:46:24 -0000	1.89
+++ Makefile	31 Jul 2016 10:58:24 -0000
@@ -10,7 +10,7 @@ COMMENT-gdata=		gdata plugin
 
 V=			3.13.2
 REVISION=		0
-REVISION-main=		1
+REVISION-main=		2
 DISTNAME=		claws-mail-${V}
 PKGNAME-main=		${DISTNAME}
 PKGNAME-bogofilter=	claws-mail-bogofilter-${V}
Index: patches/patch-configure_ac
===================================================================
RCS file: /home/edd/cvsync/ports/mail/claws-mail/patches/patch-configure_ac,v
retrieving revision 1.13
diff -u -p -r1.13 patch-configure_ac
--- patches/patch-configure_ac	23 Dec 2015 23:12:23 -0000	1.13
+++ patches/patch-configure_ac	31 Jul 2016 10:57:35 -0000
@@ -1,6 +1,6 @@
-$OpenBSD: patch-configure_ac,v 1.13 2015/12/23 23:12:23 sthen Exp $
---- configure.ac.orig	Sun Dec 20 15:00:29 2015
-+++ configure.ac	Sun Dec 20 19:33:56 2015
+$OpenBSD$
+--- configure.ac.orig	Tue Jan 19 11:02:30 2016
++++ configure.ac	Sun Jul 31 11:52:43 2016
 @@ -149,7 +149,7 @@ AM_CONDITIONAL(CYGWIN, test x"$env_cygwin" = x"yes")
  
  if test "$GCC" = "yes"
@@ -19,7 +19,7 @@ $OpenBSD: patch-configure_ac,v 1.13 2015
  	*dragonfly*)
  		AC_SEARCH_LIBS(encrypt, cipher, [], AC_MSG_ERROR(['encrypt'-function not found.]))
  	;;
-@@ -733,6 +735,7 @@ if test x"$enable_alternate_addressbook" = xno; then
+@@ -737,6 +739,7 @@ if test x"$enable_alternate_addressbook" = xno; then
  		AC_CHECK_LIB(resolv, res_query, LDAP_LIBS="$LDAP_LIBS -lresolv")
  		AC_CHECK_LIB(socket, bind, LDAP_LIBS="$LDAP_LIBS -lsocket")
  		AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS="$LDAP_LIBS -lnsl")
@@ -27,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.13 2015
  		AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS="$LDAP_LIBS -llber",,
  				 $LDAP_LIBS)
  
-@@ -805,7 +808,7 @@ if test x"$enable_alternate_addressbook" = xno; then
+@@ -809,7 +812,7 @@ if test x"$enable_alternate_addressbook" = xno; then
  					   AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support in addressbook.) ])
  		fi
  
Index: patches/patch-src_common_ssl_c
===================================================================
RCS file: patches/patch-src_common_ssl_c
diff -N patches/patch-src_common_ssl_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_ssl_c	31 Jul 2016 11:31:15 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Add OpenBSD CA cert path.
+
+--- src/common/ssl.c.orig	Tue Jan 19 11:02:30 2016
++++ src/common/ssl.c	Sun Jul 31 12:31:11 2016
+@@ -115,6 +115,7 @@ const gchar *claws_ssl_get_cert_file(void)
+ {
+ #ifndef G_OS_WIN32
+ 	const char *cert_files[]={
++		"/etc/ssl/cert.pem",
+ 		"/etc/pki/tls/certs/ca-bundle.crt",
+ 		"/etc/certs/ca-bundle.crt",
+ 		"/etc/ssl/ca-bundle.pem",


-- 
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic