[Evolution] Bug#616587: Bug#616587: evolution: SSL certificate warning, but openssl and gnutls have no problem with the certificate

Josh Triplett josh at joshtriplett.org
Sun Mar 6 18:00:57 UTC 2011 

retitle 616587 evolution: No certificate authorities available (libnssckbi.so not found)
thanks

On Sun, Mar 06, 2011 at 12:08:53PM +0100, Yves-Alexis Perez wrote:
> On dim., 2011-03-06 at 02:51 -0800, Josh Triplett wrote:
> > On Sun, Mar 06, 2011 at 11:09:06AM +0100, Yves-Alexis Perez wrote:
> > > On sam., 2011-03-05 at 12:11 -0800, Josh Triplett wrote:
> > > > I wanted to try evolution again, so I started setting up an email
> > > > account.  When configuring SMTP, I entered the server "mail.gandi.net",
> > > > selected "SSL encryption" from the "Use secure connection" dropdown,
> > > > checked "Server requires authentication", and hit "Check for Supported
> > > > Types".  This connected to the SMTP server via smtps, and promptly
> > > > gave the following SSL certificate warning: 
> > > 
> > > Is the CA in the NSS certificate store? (you can look at it in the
> > > Evolution preferences, “Certificate” tab).
> > 
> > Evolution doesn't seem to have any certificates listed under
> > "Certificates" -> "Authorities" at all.
> 
> That looks weird indeed. Is there something unusual in your install?

Not that I know of, but obviously *something* has gone wrong somewhere.
:)

Doing a bit of searching turned up bug 563253 and 563324, and this looks
very much like the same issue.  Following the advice in those bugs, I
tried stracing evolution, and sure enough:

2679  open("/home/josh/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file or directory)

And no other attempt occurs to open libnssckbi.so.

Doing this:
mkdir -p ~/.pki/nssdb
ln -s /usr/lib/nss/libnssckbi.so ~/.pki/nssdb/

before launching evolution caused it to properly validate my mail
server's CA certificate.  That rather definitively suggests that the
issue from those previous bug reports has returned.

I see that evolution 2.32.2-1 had this changelog entry:
  * debian/patches:
    - 02_let-nss-search-for-nssckbi, 03_correctly-init-nss and
      04_login-to-nss-on-demand dropped, included upstream.

A quick check of the source confirms that evolution still tries to
search for libnssckbi itself, so the functionality of
02_let-nss-search-for-nssckbi did not get included upstream.

CCing Mike Hommey as well.

> > Shouldn't Evolution just use the CA certificates from ca-certificates
> > (plus any additions by the user)?
> 
> Evolution uses NSS for the imap/smtp secure connections, so it uses
> whatever NSS uses (and unfortunately not ca-certificates).

Sigh, but in any case that seems like a separate issue.

- Josh Triplett

More information about the Pkg-evolution-maintainers mailing list