Created attachment 573222 [details, diff] Ammended c-client openssl-1.1 patch c-client-2007f-openssl-1.1.patch split the check of the NOVALIDATECERT flag and the calling of ssl_validate_cert into two separate if statements. In the process, the block checking the return of ssl_validate_cert only covered the scq application callback, resulting in a error being returned, even if ssl_validate_cert return 0x0. Attached is a modified patch where the block is fully enclosed. Please review, as I haven't fully analysed what Lars Wendler had in mind when creating the original patch.
Created attachment 573224 [details, diff] Change patch to be accumulative. I've change the patch to be accumulative, (retaining the original patch.) This helps visualise the issue with this bug. I'll also upload the revised ebuild file as well.
Created attachment 573226 [details] ebuild to include openssl patch patch (not a typo)
I can confirm that I was getting certificate failures using imap_open() in php 7.3 and after patching my net-libs/c-client-2007f-r6 with the above patch it now works.
I can also confirm that I was getting certificate errors on imap_open with php-5.6.40-r7, which cleared up after using this patch
Created attachment 849586 [details] -r8 ebuild for openssl patch of a patch Modified the recently released -r8 ebuild to include patch.
I have bumped the importance to high since a number of other people have found this patch to solve their issue (https://forums.gentoo.org/viewtopic-t-1098880-start-0.html) Please consider reviewing this ebuild/patch and merging it into the main portage tree.
This worked when it was for r7, and I have needed to apply the patch again and put r8 in my overlay to get imap_open in PHP to work, would be good if this could be back in the main branch so I don't have to keep coming back to update my overlay
Debian has a bunch of patches for c-client. I'd rather switch to their patchset in its entirety if possible to make it easier to track. Would the ones at https://sources.debian.org/src/uw-imap/8%3A2007f~dfsg-7/debian/patches/ work for this issue?
It appears that the 'certificate failure' issue was introduced by a patch created to solve a 'fail to compile' issue,(https://bugs.gentoo.org/647616). As the Debian patchset is agnostic of this gentoo patch, it would not suffer the same issue, so I think it safe to use deb patches as far as this issue is concerned. (To be certain, I just ran an imap_open test script on debian bullseye, c-client-2007f-r8::gentoo and c-client-2007f-r8::my-repo. It only failed using the ::gentoo ebuild.) I'm not sure of how much work it would be to verify all the other patches that will be added/removed in going to the deb patchset.
(In reply to Scott Tester from comment #9) > It appears that the 'certificate failure' issue was introduced by a patch > created to solve a 'fail to compile' issue,(https://bugs.gentoo.org/647616). > As the Debian patchset is agnostic of this gentoo patch, it would not suffer > the same issue, so I think it safe to use deb patches as far as this issue > is concerned. > You indeed explained this before but I didn't clock it. Thanks for your patience!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcd6b6d96343c2a56ed7f0df97dc9ec13daa94c9 commit bcd6b6d96343c2a56ed7f0df97dc9ec13daa94c9 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-06 03:56:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-06 03:58:50 +0000 net-libs/c-client: add 2007f_p7 One of our patches (c-client-2007f-openssl-1.1.patch, which seems to have been from - or derived from at least - openwrt at https://github.com/openwrt/packages/commit/b087da8530a8889bd7c765dddbbe218116d11643) has been causing issues with OpenSSL 1.1 by not giving proper regard to the return value of ssl_validate_cert. There's a suggested alternative fixed patch in the bug, but given that c-client is one of those zombie packages we need to keep but isn't active upstream, let's try switching to Debian's patchset, as it works for them, and the effective diff comparing prepared sources before/after is pretty small overall. (We also end up cleaning up a few things, like the library stops exporting 'Gethostbyname' (with a capital G) and such.) Scott Tester <scott@smbc.edu.au> deserves a special mention for being persistent here. Thank you! Bug: https://bugs.gentoo.org/647616 Closes: https://bugs.gentoo.org/683708 Signed-off-by: Sam James <sam@gentoo.org> net-libs/c-client/Manifest | 1 + net-libs/c-client/c-client-2007f_p7.ebuild | 172 +++++++++++++++++++++ .../files/c-client-2007f_GENTOO_amd64-so-fix.patch | 12 ++ ...-client-2007f_p7-implicit-declaration-fix.patch | 46 ++++++ .../c-client/files/c-client-2007f_p7-ldflags.patch | 33 ++++ 5 files changed, 264 insertions(+)