reassign 459453 neon27
retitle 459453 libneon does not honor /etc/ssl/certs/ca-certificates.crt
tags 459453 + patch
thanks

Hi,

On Sun, Jan 06, 2008 at 05:54:39PM +0100, Marc Fournier wrote:
> Package: cadaver
> Version: 0.23.0-1
> Severity: normal
> 
> 
> When accessing an https DAV volume, I get the following message even
> if the server cert got signed by a "trusted" CA (ie: provided by the
> ca-certificates package).
> 
> WARNING: Untrusted server certificate presented for `my.server.tld':
> [...]
> Do you wish to accept the certificate? (y/n)
> 
> I don't have any problem accessing the same server with curl or wget,
> which both require an additional command-line option when an https
> server presents a certificate which isn't signed by one of the CAs
> listed in /etc/ssl/certs/ca-certificates.crt
> 
> This prevents using cadaver in a non-interactive way (in combination
> with .netrc).
> 
> It seems a compile-time option exists, but I was unfortunately unable to
> get it work (not enough ):
> 
> [EMAIL PROTECTED]:/tmp/cadaver-0.23.0$ ./configure  --help | grep CA
>   --with-ca-bundle        specify filename of an SSL CA root bundle

This is a configuration option for libneon. As I'm linking cadaver against the
packaged version of neon (libneon27-gnutls) instead of the one shipped with
cadaver itself, it does not make any difference if you use this option when
compiling cadaver.

> I noticed someone assigned the same bug to libneon26 in ubuntu:
> https://bugs.launchpad.net/ubuntu/+source/neon26/+bug/104777

As noted in this bug report it seems to be sufficient to add
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt to the configure options
when compiling libneon. Imho libneon and libneon-gnutls should recommend
"ca-certificates" then. A simple patch against version 0.27.2-1 is attached to
this email. This is untested though, so it would be nice if Marc could verify
that it works as expected.

Thanks for the pointer.

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

diff -u a/debian/control b/debian/control
--- a/debian/control    2008-01-06 18:28:04.000000000 +0100
+++ b/debian/control    2008-01-06 18:42:59.000000000 +0100
@@ -9,6 +9,7 @@
 Section: libs
 Architecture: any
 Depends: ${shlibs:Depends}
+Recommends: ca-certificates
 Description: An HTTP and WebDAV client library
  neon is an HTTP and WebDAV client library, with a C language API.
  .
@@ -67,6 +68,7 @@
 Section: libs
 Architecture: any
 Depends: ${shlibs:Depends}
+Recommends: ca-certificates
 Description: An HTTP and WebDAV client library (GnuTLS enabled)
  neon is an HTTP and WebDAV client library, with a C language API.
  .
diff -u a/debian/rules b/debian/rules
--- a/debian/rules      2008-01-06 18:28:04.000000000 +0100
+++ b/debian/rules      2008-01-06 18:30:03.000000000 +0100
@@ -14,6 +14,7 @@
                --infodir=/usr/share/info       \
                --mandir=/usr/share/man         \
                --enable-threadsafe-ssl=posix   \
+               --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
                --with-gssapi                   \
                --with-libxml2
 CFLAGS="-O2 -g"

Attachment: signature.asc
Description: Digital signature

Reply via email to