Package: opensmtpd
Version: 6.8.0p2-3
Severity: normal
Tags: patch
On Debian Bullseye attempting to send a test mail from the command line
using the “smtp” program included in the “opensmtpd” package results in
the error message:
smtp: SSL_CTX_load_verify_locations: No suck file or directory
The cause of this error message is a missing “/usr/lib/ssl/cert.pem”
file, which was, according to its changelog, only added to the “openssl”
package in version 3.0.5-3 [1]; this version is not available in the stable
archive. The path “/usr/lib/ssl/cert.pem” is passed to
“SSL_CTX_load_verify_locations in “smtpc.c:145” (it is the result of the
call to “X509_get_default_cert_file” [2]):
if (!SSL_CTX_load_verify_locations(ssl_ctx,
X509_get_default_cert_file(), NULL))
fatal("SSL_CTX_load_verify_locations");
One solution to this issue would be to backport the addition of the
“/usr/lib/ssl/cert.pem” symlink to the “openssl” package to the older
version available in stable. This would likely also require an
additional dependency for the “opensmtpd” package on “ca-certificates”
so that the symlink “/usr/lib/ssl/cert.pem” to
“/etc/ssl/certs/ca-certificates.crt” can actually be correctly resolved
to a file. For this solution, presumably, a bug report against the
“openssl” has to be created. An ad-hoc solution creates the symlink
manually:
ln -s /etc/ssl/certs/ca-certificates.crt /usr/lib/ssl/cert.pem
Another solution would call instead of “SSL_CTX_load_verify_locations”
the function “SSL_CTX_set_default_verify_paths” as it does not consider
missing default locations an error [3]. It also has the advantage of
allowing the user to customise the certificates used by setting the
environment variables SSL_CERT_DIR and SSL_CERT_FILE. For this solution
I have attached a patch. There may, however, have been reasonable
motivation for the use of one function over the other and for producing
an error in the absence of a certificates file, that I am not aware of.
Footnotes:
[1] The changelog entry:
openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sun, 18 Sep 2022
21:48:05 +0200
[2] Compilation of this mini program to print the default certificate
path requires linking against libcrypto:
gcc print_cert_file.c -o print_cert_file -lcrypto
/* print_cert_file.c start */
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
int main(int argc, char *argv[])
{
printf("%s\n", X509_get_default_cert_file());
return EXIT_SUCCESS;
}
/* print_cert_file.c end */
[3]
<https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html>
--
Felix Dietrich
Index: opensmtpd-6.8.0p2/usr.sbin/smtpd/smtpc.c
===================================================================
--- opensmtpd-6.8.0p2.orig/usr.sbin/smtpd/smtpc.c 2020-12-24 14:42:21.000000000 +0100
+++ opensmtpd-6.8.0p2/usr.sbin/smtpd/smtpc.c 2023-03-05 12:49:26.390962737 +0100
@@ -142,9 +142,8 @@
event_init();
ssl_ctx = ssl_ctx_create(NULL, NULL, 0, NULL);
- if (!SSL_CTX_load_verify_locations(ssl_ctx,
- X509_get_default_cert_file(), NULL))
- fatal("SSL_CTX_load_verify_locations");
+ if (!SSL_CTX_set_default_verify_paths(ssl_ctx))
+ fatal("SSL_CTX_set_default_verify_paths");
if (!SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()))
fatal("SSL_CTX_set_ssl_version");
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE , NULL);
