On Sun, 31 Jul 2016 12:52:03 +0100, Edd Barrett <e...@theunixzoo.co.uk>
wrote:
> Hi,
Hey,
> I noticed a while back that claws-mail never accepts GMail's SSL
> certificate, which is super fishy. Its warns that the certificate is
> "unknown".
>
> It turns out there are two details regarding this:
>
> 1) By default claws will always ask you about certificates for which
> you didn't explicitly add a certificate file for (I think).
>
> 2) There is an option in the accounts settings "automatically accept
> valid SSL certificates". Off by default. If you turn it on, claws
> should use the system root CAs to validate certificates.
>
> As I see it the warning I mentioned should only appear if:
>
> * "auto-accept" is OFF, or
> * "auto-accept" is ON, but verification of the cert failed.
>
> Currently the warning is always shown. The reason is that our cert.pem
> path is not included in claws' search. This patch fixes this (and
> regenerates an out-of-date patch).
>
> Can someone check all of my logic, and if it looks good, give an OK?
>
> (BTW, IIRC, sylpheed has the same or a similar issue).
It puzzled me bit in the past but I thought that I preferred to be warn
that the cert changed (as I didn't know the option "auto-accept") so I
never looked into it.
I really liked this change, thanks! (so obviously ok danj@).
Can you try to upstream the patch? Upstream was pretty cool for the
previous patches.
Cheers,
Daniel
>
> Index: Makefile
> ===================================================================
> RCS file: /home/edd/cvsync/ports/mail/claws-mail/Makefile,v
> retrieving revision 1.89
> diff -u -p -r1.89 Makefile
> --- Makefile 9 Jul 2016 08:46:24 -0000 1.89
> +++ Makefile 31 Jul 2016 10:58:24 -0000
> @@ -10,7 +10,7 @@ COMMENT-gdata= gdata plugin
>
> V= 3.13.2
> REVISION= 0
> -REVISION-main= 1
> +REVISION-main= 2
> DISTNAME= claws-mail-${V}
> PKGNAME-main= ${DISTNAME}
> PKGNAME-bogofilter= claws-mail-bogofilter-${V}
> Index: patches/patch-configure_ac
> ===================================================================
> RCS
> file: /home/edd/cvsync/ports/mail/claws-mail/patches/patch-configure_ac,v
> retrieving revision 1.13 diff -u -p -r1.13 patch-configure_ac
> --- patches/patch-configure_ac 23 Dec 2015 23:12:23
> -0000 1.13 +++ patches/patch-configure_ac 31 Jul 2016
> 10:57:35 -0000 @@ -1,6 +1,6 @@
> -$OpenBSD: patch-configure_ac,v 1.13 2015/12/23 23:12:23 sthen Exp $
> ---- configure.ac.orig Sun Dec 20 15:00:29 2015
> -+++ configure.ac Sun Dec 20 19:33:56 2015
> +$OpenBSD$
> +--- configure.ac.orig Tue Jan 19 11:02:30 2016
> ++++ configure.ac Sun Jul 31 11:52:43 2016
> @@ -149,7 +149,7 @@ AM_CONDITIONAL(CYGWIN, test x"$env_cygwin" =
> x"yes")
> if test "$GCC" = "yes"
> @@ -19,7 +19,7 @@ $OpenBSD: patch-configure_ac,v 1.13 2015
> *dragonfly*)
> AC_SEARCH_LIBS(encrypt, cipher, [],
> AC_MSG_ERROR(['encrypt'-function not found.])) ;;
> -@@ -733,6 +735,7 @@ if test x"$enable_alternate_addressbook" = xno;
> then +@@ -737,6 +739,7 @@ if test x"$enable_alternate_addressbook" =
> xno; then AC_CHECK_LIB(resolv, res_query, LDAP_LIBS="$LDAP_LIBS
> -lresolv") AC_CHECK_LIB(socket, bind, LDAP_LIBS="$LDAP_LIBS -lsocket")
> AC_CHECK_LIB(nsl, gethostbyaddr,
> LDAP_LIBS="$LDAP_LIBS -lnsl") @@ -27,7 +27,7 @@ $OpenBSD:
> patch-configure_ac,v 1.13 2015 AC_CHECK_LIB(lber, ber_get_tag,
> LDAP_LIBS="$LDAP_LIBS -llber",, $LDAP_LIBS)
>
> -@@ -805,7 +808,7 @@ if test x"$enable_alternate_addressbook" = xno;
> then +@@ -809,7 +812,7 @@ if test x"$enable_alternate_addressbook" =
> xno; then AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support
> in addressbook.) ]) fi
>
> Index: patches/patch-src_common_ssl_c
> ===================================================================
> RCS file: patches/patch-src_common_ssl_c
> diff -N patches/patch-src_common_ssl_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_common_ssl_c 31 Jul 2016 11:31:15 -0000
> @@ -0,0 +1,14 @@
> +$OpenBSD$
> +
> +Add OpenBSD CA cert path.
> +
> +--- src/common/ssl.c.orig Tue Jan 19 11:02:30 2016
> ++++ src/common/ssl.c Sun Jul 31 12:31:11 2016
> +@@ -115,6 +115,7 @@ const gchar *claws_ssl_get_cert_file(void)
> + {
> + #ifndef G_OS_WIN32
> + const char *cert_files[]={
> ++ "/etc/ssl/cert.pem",
> + "/etc/pki/tls/certs/ca-bundle.crt",
> + "/etc/certs/ca-bundle.crt",
> + "/etc/ssl/ca-bundle.pem",
>
>
