Hi,
I noticed a while back that claws-mail never accepts GMail's SSL
certificate, which is super fishy. Its warns that the certificate is
"unknown".
It turns out there are two details regarding this:
1) By default claws will always ask you about certificates for which you
didn't explicitly add a certificate file for (I think).
2) There is an option in the accounts settings "automatically accept
valid SSL certificates". Off by default. If you turn it on, claws should
use the system root CAs to validate certificates.
As I see it the warning I mentioned should only appear if:
* "auto-accept" is OFF, or
* "auto-accept" is ON, but verification of the cert failed.
Currently the warning is always shown. The reason is that our cert.pem
path is not included in claws' search. This patch fixes this (and
regenerates an out-of-date patch).
Can someone check all of my logic, and if it looks good, give an OK?
(BTW, IIRC, sylpheed has the same or a similar issue).
Index: Makefile
===================================================================
RCS file: /home/edd/cvsync/ports/mail/claws-mail/Makefile,v
retrieving revision 1.89
diff -u -p -r1.89 Makefile
--- Makefile 9 Jul 2016 08:46:24 -0000 1.89
+++ Makefile 31 Jul 2016 10:58:24 -0000
@@ -10,7 +10,7 @@ COMMENT-gdata= gdata plugin
V= 3.13.2
REVISION= 0
-REVISION-main= 1
+REVISION-main= 2
DISTNAME= claws-mail-${V}
PKGNAME-main= ${DISTNAME}
PKGNAME-bogofilter= claws-mail-bogofilter-${V}
Index: patches/patch-configure_ac
===================================================================
RCS file: /home/edd/cvsync/ports/mail/claws-mail/patches/patch-configure_ac,v
retrieving revision 1.13
diff -u -p -r1.13 patch-configure_ac
--- patches/patch-configure_ac 23 Dec 2015 23:12:23 -0000 1.13
+++ patches/patch-configure_ac 31 Jul 2016 10:57:35 -0000
@@ -1,6 +1,6 @@
-$OpenBSD: patch-configure_ac,v 1.13 2015/12/23 23:12:23 sthen Exp $
---- configure.ac.orig Sun Dec 20 15:00:29 2015
-+++ configure.ac Sun Dec 20 19:33:56 2015
+$OpenBSD$
+--- configure.ac.orig Tue Jan 19 11:02:30 2016
++++ configure.ac Sun Jul 31 11:52:43 2016
@@ -149,7 +149,7 @@ AM_CONDITIONAL(CYGWIN, test x"$env_cygwin" = x"yes")
if test "$GCC" = "yes"
@@ -19,7 +19,7 @@ $OpenBSD: patch-configure_ac,v 1.13 2015
*dragonfly*)
AC_SEARCH_LIBS(encrypt, cipher, [],
AC_MSG_ERROR(['encrypt'-function not found.]))
;;
-@@ -733,6 +735,7 @@ if test x"$enable_alternate_addressbook" = xno; then
+@@ -737,6 +739,7 @@ if test x"$enable_alternate_addressbook" = xno; then
AC_CHECK_LIB(resolv, res_query, LDAP_LIBS="$LDAP_LIBS -lresolv")
AC_CHECK_LIB(socket, bind, LDAP_LIBS="$LDAP_LIBS -lsocket")
AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS="$LDAP_LIBS -lnsl")
@@ -27,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.13 2015
AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS="$LDAP_LIBS -llber",,
$LDAP_LIBS)
-@@ -805,7 +808,7 @@ if test x"$enable_alternate_addressbook" = xno; then
+@@ -809,7 +812,7 @@ if test x"$enable_alternate_addressbook" = xno; then
AC_DEFINE(USE_JPILOT, 1, Define if
you want JPilot support in addressbook.) ])
fi
Index: patches/patch-src_common_ssl_c
===================================================================
RCS file: patches/patch-src_common_ssl_c
diff -N patches/patch-src_common_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_ssl_c 31 Jul 2016 11:31:15 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Add OpenBSD CA cert path.
+
+--- src/common/ssl.c.orig Tue Jan 19 11:02:30 2016
++++ src/common/ssl.c Sun Jul 31 12:31:11 2016
+@@ -115,6 +115,7 @@ const gchar *claws_ssl_get_cert_file(void)
+ {
+ #ifndef G_OS_WIN32
+ const char *cert_files[]={
++ "/etc/ssl/cert.pem",
+ "/etc/pki/tls/certs/ca-bundle.crt",
+ "/etc/certs/ca-bundle.crt",
+ "/etc/ssl/ca-bundle.pem",
--
Best Regards
Edd Barrett
http://www.theunixzoo.co.uk
