On Fri, 2 Jun 2023, Omar Polo wrote:
> Hello,
>
> Thanks for testing!
Thanks for all the work of upgrading OpenSMTPD compatible again!
>
> On 2023/06/01 10:35:39 -0700, Richard Narron <rich...@aaazen.com> wrote:
> > On Thu, 1 Jun 2023, Richard Narron wrote:
> >
> > > I will modify the build to remove the --with-path-CAfile
> > > configure option and add a symbolic link for /etc/ssl/cert.pem
> >
> > The symbolic link in my build is not good idea because
> > it erases the cert.pem file which may be in use by other applications.
> >
> > I am better off patching the OpenSMTPD source code instead.
> >
> > Why is the --with-path-CAfile option removed?
>
> since the last release OpenSMTPD switched to libtls and stopped to
> hardcode into itself the path to the ca file, so I removed the unused
> option.
>
> libtls (which is bundled in openbsd-compat/libtls/) uses[*] OpenSSL'
> X509_get_default_cert_file() to load the default ca file. I've tested
> and on Slackware 15 it returns "/etc/ssl/cert.pem", which is strange.
> For comparison, on Centos 7 (I had to fix a build issue there...)
> which doesn't have /etc/ssl/cert.pem too it returns
> /etc/pki/tls/cert.pem.
>
> I'm not against re-adding --with-path-CAfile, but is it something
> that's needed often on Slackware? I don't seem to find libretls
> ported, but if it'll ever be packaged it would need a similar
> treatment.
>
> [*] well, on OpenBSD it has /etc/ssl/cert.pem hardcoded. To make in
> portable I changed it to use what OpenSSL thinks it's the default,
> which is the same thing done in libretls, a version of libtls
> targetting OpenSSL instead of LibreSSL.
If more BSD/Linux/other systems need to hardcode the CAfile, then it might
be useful to have the --with-path-CAfile
But the patch for Slackware is trivial:
--- opensmtpd-7.3.0p0-rc1/openbsd-compat/libtls/tls_config.c.orig
2023-05-25 04:32:34.000000000 -0700
+++ opensmtpd-7.3.0p0-rc1/openbsd-compat/libtls/tls_config.c 2023-06-02
05:55:31.482390836 -0700
@@ -33,7 +33,7 @@
const char *
tls_default_ca_cert_file(void)
{
- return X509_get_default_cert_file();
+ return "/etc/ssl/certs/ca-certificates.crt";
}
int
