Re: OpenSMTPD 7.3.0p0 rc1 -- please test!

[Richard Narron]

On Fri, 2 Jun 2023, Omar Polo wrote:

> Hello,
>
> Thanks for testing!

  Thanks for all the work of upgrading OpenSMTPD compatible again!
>
> On 2023/06/01 10:35:39 -0700, Richard Narron  wrote:
> > On Thu, 1 Jun 2023, Richard Narron wrote:
> >
> > > I will modify the build to remove the --with-path-CAfile
> > > configure option and add a symbolic link for /etc/ssl/cert.pem
> >
> > The symbolic link in my build is not good idea because
> > it erases the cert.pem file which may be in use by other applications.
> >
> > I am better off patching the OpenSMTPD source code instead.
> >
> > Why is the --with-path-CAfile option removed?
>
> since the last release OpenSMTPD switched to libtls and stopped to
> hardcode into itself the path to the ca file, so I removed the unused
> option.
>
> libtls (which is bundled in openbsd-compat/libtls/) uses[*] OpenSSL'
> X509_get_default_cert_file() to load the default ca file.  I've tested
> and on Slackware 15 it returns "/etc/ssl/cert.pem", which is strange.
> For comparison, on Centos 7 (I had to fix a build issue there...)
> which doesn't have /etc/ssl/cert.pem too it returns
> /etc/pki/tls/cert.pem.
>
> I'm not against re-adding --with-path-CAfile, but is it something
> that's needed often on Slackware?  I don't seem to find libretls
> ported, but if it'll ever be packaged it would need a similar
> treatment.
>
> [*] well, on OpenBSD it has /etc/ssl/cert.pem hardcoded.  To make in
> portable I changed it to use what OpenSSL thinks it's the default,
> which is the same thing done in libretls, a version of libtls
> targetting OpenSSL instead of LibreSSL.

If more BSD/Linux/other systems need to hardcode the CAfile, then it might
be useful to have the --with-path-CAfile

But the patch for Slackware is trivial:

--- opensmtpd-7.3.0p0-rc1/openbsd-compat/libtls/tls_config.c.orig   
2023-05-25 04:32:34.0 -0700
+++ opensmtpd-7.3.0p0-rc1/openbsd-compat/libtls/tls_config.c2023-06-02 
05:55:31.482390836 -0700
@@ -33,7 +33,7 @@
 const char *
 tls_default_ca_cert_file(void)
 {
-   return X509_get_default_cert_file();
+   return "/etc/ssl/certs/ca-certificates.crt";
 }

 int

Re: OpenSMTPD 7.3.0p0 rc1 -- please test!

[Omar Polo]

Hello,

Thanks for testing!

On 2023/06/01 10:35:39 -0700, Richard Narron  wrote:
> On Thu, 1 Jun 2023, Richard Narron wrote:
> 
> > I will modify the build to remove the --with-path-CAfile
> > configure option and add a symbolic link for /etc/ssl/cert.pem
> 
> The symbolic link in my build is not good idea because
> it erases the cert.pem file which may be in use by other applications.
> 
> I am better off patching the OpenSMTPD source code instead.
> 
> Why is the --with-path-CAfile option removed?

since the last release OpenSMTPD switched to libtls and stopped to
hardcode into itself the path to the ca file, so I removed the unused
option.

libtls (which is bundled in openbsd-compat/libtls/) uses[*] OpenSSL'
X509_get_default_cert_file() to load the default ca file.  I've tested
and on Slackware 15 it returns "/etc/ssl/cert.pem", which is strange.
For comparison, on Centos 7 (I had to fix a build issue there...)
which doesn't have /etc/ssl/cert.pem too it returns
/etc/pki/tls/cert.pem.

I'm not against re-adding --with-path-CAfile, but is it something
that's needed often on Slackware?  I don't seem to find libretls
ported, but if it'll ever be packaged it would need a similar
treatment.


Thanks,

Omar Polo


[*] well, on OpenBSD it has /etc/ssl/cert.pem hardcoded.  To make in
portable I changed it to use what OpenSSL thinks it's the default,
which is the same thing done in libretls, a version of libtls
targetting OpenSSL instead of LibreSSL.