Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 281196 - net-misc/neon-0.28.5[gnutls]: configure default ca bundle
Summary: net-misc/neon-0.28.5[gnutls]: configure default ca bundle
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Library (show other bugs)
Hardware: All All
: High enhancement (vote)
Assignee: Arfrever Frehtes Taifersar Arahesis (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-12 10:45 UTC by Martin von Gagern
Modified: 2009-08-19 00:44 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin von Gagern 2009-08-12 10:45:56 UTC 
neon does provide a function called ne_ssl_trust_default_ca to load default certificates. With --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt given as a command line option, this will cause the given bundle to be loaded on all implementations.

Without that switch, implementation depends on the ssl backend. With openssl, X509_STORE_set_default_paths gets called, which uses the SSL_CERT_FILE and SSL_CERT_DIR environment variables and defaults to /etc/ssl/certs/ and some default cert file not usually present on Gentoo. The GnuTLS implementation, on the other hand, does nothing at all if no bundle is specified.

One important application of this is subversion. When neon is configured to use gnutls as its backend, there currently is no way to configure the default trust roots for subversion. One can specify a file using the ssl-authority-files option in the subversion servers configuration file, but neon will only read the first certificate from said file, so you can't specify a bundle. The only other option, setting ssl-trust-default-ca to true (which is the default), is a no-op for gnutls.

$ svn ls https://overlays.gentoo.org/svn/proj/sunrise
Error validating server certificate for 'https://overlays.gentoo.org:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: overlays.gentoo.org
 - Valid: from Mon, 03 Aug 2009 19:40:31 GMT until Wed, 03 Aug 2011 19:40:31 GMT
 - Issuer: http://www.CAcert.org, CAcert Inc.
 - Fingerprint: 47:9b:19:62:10:36:c3:ec:10:e7:4c:6b:a7:63:62:b0:43:5d:9a:9c
(R)eject, accept (t)emporarily or accept (p)ermanently? r
svn: OPTIONS of 'https://overlays.gentoo.org/svn/proj/sunrise':
Server certificate verification failed: issuer is not trusted (https://overlays.gentoo.org)

I assume that this behaviour might be the core of bug #277405 as well.

In order to address this, --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt should be passed to configure, at least when using gnutls. For openssl that should be avoided, as opening single certificates by hash is probably cheaper.

To work around the issue until the ebuild is adjusted, users can run this:
EXTRA_ECONF=--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt emerge -1 neon

Packages involved:
net-libs/gnutls-2.8.2
net-misc/neon-0.28.5
dev-util/subversion-1.6.4-r10
app-misc/ca-certificates-20090709
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-19 00:44:13 UTC 
Fixed in net-misc/neon-0.28.6.