[Evolution] Bug#616587: Bug#616587: Bug#616587: evolution: SSL certificate warning, but openssl and gnutls have no problem with the certificate

Sun Mar 6 21:07:17 UTC 2011

On Sun, Mar 06, 2011 at 09:38:19PM +0100, Yves-Alexis Perez wrote:
> On Sun, 2011-03-06 at 10:00 -0800, Josh Triplett wrote:
> > retitle 616587 evolution: No certificate authorities available (libnssckbi.so not found)
> > thanks
> > 
> > On Sun, Mar 06, 2011 at 12:08:53PM +0100, Yves-Alexis Perez wrote:
> > > On dim., 2011-03-06 at 02:51 -0800, Josh Triplett wrote:
> > > > On Sun, Mar 06, 2011 at 11:09:06AM +0100, Yves-Alexis Perez wrote:
> > > > > On sam., 2011-03-05 at 12:11 -0800, Josh Triplett wrote:
> > > > > > I wanted to try evolution again, so I started setting up an email
> > > > > > account.  When configuring SMTP, I entered the server "mail.gandi.net",
> > > > > > selected "SSL encryption" from the "Use secure connection" dropdown,
> > > > > > checked "Server requires authentication", and hit "Check for Supported
> > > > > > Types".  This connected to the SMTP server via smtps, and promptly
> > > > > > gave the following SSL certificate warning: 
> > > > > 
> > > > > Is the CA in the NSS certificate store? (you can look at it in the
> > > > > Evolution preferences, “Certificate” tab).
> > > > 
> > > > Evolution doesn't seem to have any certificates listed under
> > > > "Certificates" -> "Authorities" at all.
> > > 
> > > That looks weird indeed. Is there something unusual in your install?
> > 
> > Not that I know of, but obviously *something* has gone wrong somewhere.
> > :)
> 
> Is it completely up2date? Looking at the initial mail it seems that nss
> is a beta version, which might be related:
> 
> ii  libnss3-1d              3.12.9~beta2-1   Network Security Service libraries
> 
> while experimental has 3.12.9-2 and sid has 3.12.8-2. Try updating to
> latest version in experimental and report back?

I've already upgraded it to 3.12.9-2 and that didn't change anything.

> > Doing a bit of searching turned up bug 563253 and 563324, and this looks
> > very much like the same issue.  Following the advice in those bugs, I
> > tried stracing evolution, and sure enough:
> > 
> > 2679  open("/home/josh/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file or directory)
> > 
> > And no other attempt occurs to open libnssckbi.so.
> > 
> > Doing this:
> > mkdir -p ~/.pki/nssdb
> > ln -s /usr/lib/nss/libnssckbi.so ~/.pki/nssdb/
> 
> So .pki didn't exist at all?

This problem occurs whether or not evolution has previously created .pki
.  In particular, the problem still occurs even after I've removed
.config/evolution, .pki, and the gconf evolution configuration entirely,
and then tried evolution's initial setup procedure again.

> > before launching evolution caused it to properly validate my mail
> > server's CA certificate.  That rather definitively suggests that the
> > issue from those previous bug reports has returned.
> > 
> > I see that evolution 2.32.2-1 had this changelog entry:
> >   * debian/patches:
> >     - 02_let-nss-search-for-nssckbi, 03_correctly-init-nss and
> >       04_login-to-nss-on-demand dropped, included upstream.
> > 
> > A quick check of the source confirms that evolution still tries to
> > search for libnssckbi itself, so the functionality of
> > 02_let-nss-search-for-nssckbi did not get included upstream.
> 
> Sounds fishy, it's worth trying with a more recent nss.

Already done, no change.  I think the problem exists in evolution, as it
did before with the previous bug reports.

- Josh Triplett