openssl-0.9.7f-4 breaks postfix-2.2.2-2
David Hollis
dhollis at davehollis.com
Mon Apr 25 19:08:02 UTC 2005
On Mon, 2005-04-25 at 15:55 +0100, Joe Orton wrote:
> On Sat, Apr 23, 2005 at 09:04:54AM -0400, David Hollis wrote:
> > On Fri, 2005-04-22 at 20:07 +0200, Thomas Zehetbauer wrote:
> > > Today's rawhide update broke my postfix's smtp over ssl capability.
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/usr/share/ssl/certs/ca-bundle.crt','r'):
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107:
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> > > postfix/smtpd[8117]: connect from localhost[127.0.0.1]
> > > postfix/smtpd[8117]: Could not allocate 'TLScontext->con' with SSL_new()
> > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:231:
> > > postfix/smtpd[8117]: lost connection after CONNECT from localhost[127.0.0.1]
> > > postfix/smtpd[8117]: disconnect from localhost[127.0.0.1]
> >
> > The latest OpenSSL packages moved all of the certs/keys to /etc/pki. In
> > your postfix config, change the path to the ca-bundle to
> > be /etc/pki/tls/certs and you should be all set.
>
> No application should contain hard-coded references to the ca-bundle.crt
> filename in the first place, they should obtain it at run-time via
> X509_get_default_cert_file() or if possible just use
> SSL_CTX_set_default_verify_paths() - can you file bugs on that?
>
There may be cases where the user/app does not want to use the bundled
CA, but would rather use a locally generated one, or the like. By
default, the bundled apps should probably point at the one installed
with openssl so that things can "Just Work".
--
David Hollis <dhollis at davehollis.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050425/b1095c65/attachment.sig>
More information about the fedora-devel-list
mailing list