As far as I could tell it's just evolution doing it wrong -- we can certainly see firefox and chromium appear to be fine. I couldn't check curl simply (libcurl3-nss uses libnss3). I couldn't see a list of certificate authorities in Pidgin but deleting the certificates and disconnecting/reconnecting I saw them re-added and no pop-up telling me they couldn't be validated. I haven't looked at the other reverse-build- depends of libnss3-dev.
It seemed clear that the way of looking for nssckbi in evolution was "wrong", but I still need to check to be sure if it's debian-specific or general to have a libdir for the actual nss libraries and an extra directory nss/ under that libdir for the "modules" and nssckbi. Maybe there's a better way to fix this, but I can't think of how in nss (unless we were to start shipping an extra variable in nss.pc specifically for nssckbi's path). In other words, to make this better we could ship an extra var in nss.pc for the nssckbi path, but it looks like it was just evolution affected here; there's more investigation needed to certain whether it's worth it. libdir itself can't really be changed, since it needs to point to the actual location of the nss libraries. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/911592 Title: [precise] Too few certificate authorities listed after upgrade to 12.04 Status in “evolution” package in Ubuntu: Fix Released Status in “nss” package in Ubuntu: Incomplete Status in “evolution” source package in Precise: Fix Released Status in “nss” source package in Precise: Incomplete Bug description: After upgrading to precise, when I try to send an email with evolution, I am presented with: SSL Certificate check for smtp.canonical.com: Issuer: CN=Thawte DV SSL CA,OU=Domain Validated SSL,O="Thawte, Inc.",C=US Subject: CN=smtp.canonical.com,OU=Domain Validated,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,O=smtp.canonical.com Fingerprint: a2:ee:86:1c:94:4e:74:86:2c:24:2f:0e:6e:cc:cd:db Signature: BAD Do you wish to accept? Yes|No I verified the certificate is valid using gnutls: * gnutls-cli -s --print-cert --x509cafile /etc/ssl/certs/ -p 587 smtp.canonical.com * > ehlo test * > starttls * in another terminal do 'kill -s SIGALRM <pid og gnutls-cli>' Remembering that evolution uses nss, I then went to Edit/Preferences/Certificates/Authorities and discovered that many certificate autorities are missing from the list, including Thawte's Root CAs. I verified that Oneiric had the certificate authority, and it did along with many more. I am not sure if the bug is with nss or with evolution, but evolution in 12.04 is not seeing all the certificates it used to see in 11.10. Marking this as High priority and checking the security box as this prevents proper certificate verification. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: libnss3 3.13.1.with.ckbi.1.88-1ubuntu2 ProcVersionSignature: Ubuntu 3.2.0-7.13-generic 3.2.0-rc7 Uname: Linux 3.2.0-7-generic x86_64 ApportVersion: 1.90-0ubuntu1 Architecture: amd64 Date: Tue Jan 3 21:34:09 2012 InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110425.2) SourcePackage: nss UpgradeStatus: Upgraded to precise on 2012-01-02 (1 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/911592/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
