desktop-packages team mailing list archive

Thread
Date
[Bug 911592] Re: [precise] Too few certificate authorities listed after upgrade to 12.04

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Mathieu Trudel-Lapierre <mathieu.tl@xxxxxxxxx>
Date: Wed, 04 Jan 2012 22:11:20 -0000
Reply-to: Bug 911592 <911592@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
As far as I could tell it's just evolution doing it wrong -- we can
certainly see firefox and chromium appear to be fine. I couldn't check
curl simply (libcurl3-nss uses libnss3). I couldn't see a list of
certificate authorities in Pidgin but deleting the certificates and
disconnecting/reconnecting I saw them re-added and no pop-up telling me
they couldn't be validated. I haven't looked at the other reverse-build-
depends of libnss3-dev.

It seemed clear that the way of looking for nssckbi in evolution was
"wrong", but I still need to check to be sure if it's debian-specific or
general to have a libdir for the actual nss libraries and an extra
directory nss/ under that libdir for the "modules" and nssckbi. Maybe
there's a better way to fix this, but I can't think of how in nss
(unless we were to start shipping an extra variable in nss.pc
specifically for nssckbi's path).

In other words, to make this better we could ship an extra var in nss.pc
for the nssckbi path, but it looks like it was just evolution affected
here; there's more investigation needed to certain whether it's worth
it. libdir itself can't really be changed, since it needs to point to
the actual location of the nss libraries.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evolution in Ubuntu.
https://bugs.launchpad.net/bugs/911592

Title:
  [precise] Too few certificate authorities listed after upgrade to
  12.04

Status in “evolution” package in Ubuntu:
  Fix Released
Status in “nss” package in Ubuntu:
  Incomplete
Status in “evolution” source package in Precise:
  Fix Released
Status in “nss” source package in Precise:
  Incomplete

Bug description:
  After upgrading to precise, when I try to send an email with evolution, I am presented with:
  SSL Certificate check for smtp.canonical.com:

  Issuer:            CN=Thawte DV SSL CA,OU=Domain Validated SSL,O="Thawte, Inc.",C=US
  Subject:           CN=smtp.canonical.com,OU=Domain Validated,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,O=smtp.canonical.com
  Fingerprint:       a2:ee:86:1c:94:4e:74:86:2c:24:2f:0e:6e:cc:cd:db
  Signature:         BAD

  Do you wish to accept? Yes|No

  I verified the certificate is valid using gnutls:
   * gnutls-cli -s --print-cert --x509cafile /etc/ssl/certs/ -p 587 smtp.canonical.com
   * > ehlo test
   * > starttls
   * in another terminal do 'kill -s SIGALRM <pid og gnutls-cli>'

  Remembering that evolution uses nss, I then went to
  Edit/Preferences/Certificates/Authorities and discovered that many
  certificate autorities are missing from the list, including Thawte's
  Root CAs. I verified that Oneiric had the certificate authority, and
  it did along with many more. I am not sure if the bug is with nss or
  with evolution, but evolution in 12.04 is not seeing all the
  certificates it used to see in 11.10.

  Marking this as High priority and checking the security box as this
  prevents proper certificate verification.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: libnss3 3.13.1.with.ckbi.1.88-1ubuntu2
  ProcVersionSignature: Ubuntu 3.2.0-7.13-generic 3.2.0-rc7
  Uname: Linux 3.2.0-7-generic x86_64
  ApportVersion: 1.90-0ubuntu1
  Architecture: amd64
  Date: Tue Jan  3 21:34:09 2012
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110425.2)
  SourcePackage: nss
  UpgradeStatus: Upgraded to precise on 2012-01-02 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/911592/+subscriptions