[Evolution] Bug#616587: Bug#616587: Bug#616587: evolution: SSL certificate warning, but openssl and gnutls have no problem with the certificate

Sun Mar 6 20:38:19 UTC 2011

On Sun, 2011-03-06 at 10:00 -0800, Josh Triplett wrote:
> retitle 616587 evolution: No certificate authorities available (libnssckbi.so not found)
> thanks
> 
> On Sun, Mar 06, 2011 at 12:08:53PM +0100, Yves-Alexis Perez wrote:
> > On dim., 2011-03-06 at 02:51 -0800, Josh Triplett wrote:
> > > On Sun, Mar 06, 2011 at 11:09:06AM +0100, Yves-Alexis Perez wrote:
> > > > On sam., 2011-03-05 at 12:11 -0800, Josh Triplett wrote:
> > > > > I wanted to try evolution again, so I started setting up an email
> > > > > account.  When configuring SMTP, I entered the server "mail.gandi.net",
> > > > > selected "SSL encryption" from the "Use secure connection" dropdown,
> > > > > checked "Server requires authentication", and hit "Check for Supported
> > > > > Types".  This connected to the SMTP server via smtps, and promptly
> > > > > gave the following SSL certificate warning: 
> > > > 
> > > > Is the CA in the NSS certificate store? (you can look at it in the
> > > > Evolution preferences, “Certificate” tab).
> > > 
> > > Evolution doesn't seem to have any certificates listed under
> > > "Certificates" -> "Authorities" at all.
> > 
> > That looks weird indeed. Is there something unusual in your install?
> 
> Not that I know of, but obviously *something* has gone wrong somewhere.
> :)

Is it completely up2date? Looking at the initial mail it seems that nss
is a beta version, which might be related:

ii  libnss3-1d              3.12.9~beta2-1   Network Security Service libraries

while experimental has 3.12.9-2 and sid has 3.12.8-2. Try updating to
latest version in experimental and report back?

> 
> Doing a bit of searching turned up bug 563253 and 563324, and this looks
> very much like the same issue.  Following the advice in those bugs, I
> tried stracing evolution, and sure enough:
> 
> 2679  open("/home/josh/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file or directory)
> 
> And no other attempt occurs to open libnssckbi.so.
> 
> Doing this:
> mkdir -p ~/.pki/nssdb
> ln -s /usr/lib/nss/libnssckbi.so ~/.pki/nssdb/

So .pki didn't exist at all?
> 
> before launching evolution caused it to properly validate my mail
> server's CA certificate.  That rather definitively suggests that the
> issue from those previous bug reports has returned.
> 
> I see that evolution 2.32.2-1 had this changelog entry:
>   * debian/patches:
>     - 02_let-nss-search-for-nssckbi, 03_correctly-init-nss and
>       04_login-to-nss-on-demand dropped, included upstream.
> 
> A quick check of the source confirms that evolution still tries to
> search for libnssckbi itself, so the functionality of
> 02_let-nss-search-for-nssckbi did not get included upstream.

Sounds fishy, it's worth trying with a more recent nss.
> 
> CCing Mike Hommey as well.
> 
> > > Shouldn't Evolution just use the CA certificates from ca-certificates
> > > (plus any additions by the user)?
> > 
> > Evolution uses NSS for the imap/smtp secure connections, so it uses
> > whatever NSS uses (and unfortunately not ca-certificates).
> 
> Sigh, but in any case that seems like a separate issue.
> 

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-evolution-maintainers/attachments/20110306/37b53ae9/attachment.pgp>