openssl-0.9.7f-4 breaks postfix-2.2.2-2

Dax Kelson dax at gurulabs.com
Mon Apr 25 15:49:30 UTC 2005 

On Mon, 2005-04-25 at 15:55 +0100, Joe Orton wrote:
> On Sat, Apr 23, 2005 at 09:04:54AM -0400, David Hollis wrote:
> > On Fri, 2005-04-22 at 20:07 +0200, Thomas Zehetbauer wrote:
> > > Today's rawhide update broke my postfix's smtp over ssl capability.
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/usr/share/ssl/certs/ca-bundle.crt','r'):
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107:
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> > > postfix/smtpd[8117]: connect from localhost[127.0.0.1]
> > > postfix/smtpd[8117]: Could not allocate 'TLScontext->con' with SSL_new()
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:231:
> > > postfix/smtpd[8117]: lost connection after CONNECT from localhost[127.0.0.1]
> > > postfix/smtpd[8117]: disconnect from localhost[127.0.0.1]
> > 
> > The latest OpenSSL packages moved all of the certs/keys to /etc/pki.  In
> > your postfix config, change the path to the ca-bundle to
> > be /etc/pki/tls/certs and you should be all set.
> 
> No application should contain hard-coded references to the ca-bundle.crt
> filename in the first place, they should obtain it at run-time via
> X509_get_default_cert_file() or if possible just use
> SSL_CTX_set_default_verify_paths() - can you file bugs on that?
> 
> Regards,
> 
> joe

In Saturday's rawhide changelog I read:

dovecot-0.99.14-4.fc4
---------------------
* Fri Apr 22 2005 John Dennis <jdennis at redhat.com> - 0.99.14-4.fc4
- openssl moved its certs, CA, etc. from /usr/share/ssl to /etc/pki

Does this mean that dovecot was hard-coding references too?

BTW, I know that there is a *lot* of documentation out there that
references the "old" path, /usr/share/ssl. Unfortunately it isn't
possible for documentation to use SSL_CTX_set_default_verify_paths(). :)

Dax Kelson
Guru Labs

More information about the fedora-devel-list mailing list