Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1032385: smtp: SSL_CTX_load_verify_locations: No such file or directory
98 views
Skip to first unread message
Felix Dietrich
Mar 5, 2023, 10:50:04 AM3/5/23
to
Package: opensmtpd
Version: 6.8.0p2-3
Severity: normal
Tags: patch
On Debian Bullseye attempting to send a test mail from the command line
using the “smtp” program included in the “opensmtpd” package results in
the error message:
smtp: SSL_CTX_load_verify_locations: No such file or directory
The cause of this error message is a missing “/usr/lib/ssl/cert.pem”
file, which was, according to its changelog, only added to the “openssl”
package in version 3.0.5-3 [1]; this version is not available in the stable
archive. The path “/usr/lib/ssl/cert.pem” is passed to
“SSL_CTX_load_verify_locations in “smtpc.c:145” (it is the result of the
call to “X509_get_default_cert_file” [2]):
if (!SSL_CTX_load_verify_locations(ssl_ctx,
X509_get_default_cert_file(), NULL))
fatal("SSL_CTX_load_verify_locations");
One solution to this issue would be to backport the addition of the
“/usr/lib/ssl/cert.pem” symlink to the “openssl” package to the older
version available in stable. This would likely also require an
additional dependency on the “ca-certificates” package so that the
symlink “/usr/lib/ssl/cert.pem” to “/etc/ssl/certs/ca-certificates.crt”
can actually be correctly resolved to a file. For this solution,
presumably, a bug report against the “openssl” has to be created.
Another solution would call instead of “SSL_CTX_load_verify_locations”
the function “SSL_CTX_set_default_verify_paths” as it does not consider
missing default locations an error [3]. It also has the advantage of
allowing the user to customise the certificates used by setting the
environment variables SSL_CERT_DIR and SSL_CERT_FILE. For this solution
I have attached a patch.
Footnotes:
[1] openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Sebastian Andrzej Siewior <seba...@breakpoint.cc> Sun, 18 Sep 2022 21:48:05 +0200
[2] Compilation of this mini program to print the default certificate
file requires linking against libcrypto
(gcc src.c -o print_cert_file -lcrypto):
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
int main(int argc, char *argv[])
{
printf("%s\n", X509_get_default_cert_file());
return EXIT_SUCCESS;
}
[3] <https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html>
Version: 6.8.0p2-3
Severity: normal
Tags: patch
On Debian Bullseye attempting to send a test mail from the command line
using the “smtp” program included in the “opensmtpd” package results in
the error message:
smtp: SSL_CTX_load_verify_locations: No such file or directory
The cause of this error message is a missing “/usr/lib/ssl/cert.pem”
file, which was, according to its changelog, only added to the “openssl”
package in version 3.0.5-3 [1]; this version is not available in the stable
archive. The path “/usr/lib/ssl/cert.pem” is passed to
“SSL_CTX_load_verify_locations in “smtpc.c:145” (it is the result of the
call to “X509_get_default_cert_file” [2]):
if (!SSL_CTX_load_verify_locations(ssl_ctx,
X509_get_default_cert_file(), NULL))
fatal("SSL_CTX_load_verify_locations");
One solution to this issue would be to backport the addition of the
“/usr/lib/ssl/cert.pem” symlink to the “openssl” package to the older
version available in stable. This would likely also require an
additional dependency on the “ca-certificates” package so that the
symlink “/usr/lib/ssl/cert.pem” to “/etc/ssl/certs/ca-certificates.crt”
can actually be correctly resolved to a file. For this solution,
presumably, a bug report against the “openssl” has to be created.
Another solution would call instead of “SSL_CTX_load_verify_locations”
the function “SSL_CTX_set_default_verify_paths” as it does not consider
missing default locations an error [3]. It also has the advantage of
allowing the user to customise the certificates used by setting the
environment variables SSL_CERT_DIR and SSL_CERT_FILE. For this solution
I have attached a patch.
Footnotes:
[1] openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Sebastian Andrzej Siewior <seba...@breakpoint.cc> Sun, 18 Sep 2022 21:48:05 +0200
[2] Compilation of this mini program to print the default certificate
file requires linking against libcrypto
(gcc src.c -o print_cert_file -lcrypto):
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
int main(int argc, char *argv[])
{
printf("%s\n", X509_get_default_cert_file());
return EXIT_SUCCESS;
}
[3] <https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html>
Felix Dietrich
Mar 5, 2023, 11:10:04 AM3/5/23
to
Sorry, I accidentally sent the report twice (duplicate is #1032384 with
a minor typo). How do I fix this?
--
Felix Dietrich
a minor typo). How do I fix this?
--
Felix Dietrich
Ryan Kavanagh
Mar 5, 2023, 6:10:04 PM3/5/23
to
Control: merge 1032384 1032385
On Sun, Mar 05, 2023 at 04:52:35PM +0100, Felix Dietrich wrote:
> Sorry, I accidentally sent the report twice (duplicate is #1032384 with
> a minor typo). How do I fix this?
Using the merge command:
https://www.debian.org/Bugs/server-control#merge
Best,
Ryan
--
|)|/ Ryan Kavanagh | 4E46 9519 ED67 7734 268F
|\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
On Sun, Mar 05, 2023 at 04:52:35PM +0100, Felix Dietrich wrote:
> Sorry, I accidentally sent the report twice (duplicate is #1032384 with
> a minor typo). How do I fix this?
https://www.debian.org/Bugs/server-control#merge
Best,
Ryan
--
|)|/ Ryan Kavanagh | 4E46 9519 ED67 7734 268F
|\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
0 new messages