Package: opensmtpd
Version: 6.8.0p2-3
Severity: normal
Tags: patch
On Debian Bullseye attempting to send a test mail from the command line
using the “smtp” program included in the “opensmtpd” package results in
the error message:
smtp: SSL_CTX_load_verify_locations: No such file or directory
The cause of this error message is a missing “/usr/lib/ssl/cert.pem”
file, which was, according to its changelog, only added to the “openssl”
package in version 3.0.5-3 [1]; this version is not available in the stable
archive. The path “/usr/lib/ssl/cert.pem” is passed to
“SSL_CTX_load_verify_locations in “smtpc.c:145” (it is the result of the
call to “X509_get_default_cert_file” [2]):
if (!SSL_CTX_load_verify_locations(ssl_ctx,
X509_get_default_cert_file(), NULL))
fatal("SSL_CTX_load_verify_locations");
One solution to this issue would be to backport the addition of the
“/usr/lib/ssl/cert.pem” symlink to the “openssl” package to the older
version available in stable. This would likely also require an
additional dependency on the “ca-certificates” package so that the
symlink “/usr/lib/ssl/cert.pem” to “/etc/ssl/certs/ca-certificates.crt”
can actually be correctly resolved to a file. For this solution,
presumably, a bug report against the “openssl” has to be created.
Another solution would call instead of “SSL_CTX_load_verify_locations”
the function “SSL_CTX_set_default_verify_paths” as it does not consider
missing default locations an error [3]. It also has the advantage of
allowing the user to customise the certificates used by setting the
environment variables SSL_CERT_DIR and SSL_CERT_FILE. For this solution
I have attached a patch.
Footnotes:
[1] openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sun, 18 Sep 2022
21:48:05 +0200
[2] Compilation of this mini program to print the default certificate
file requires linking against libcrypto
(gcc src.c -o print_cert_file -lcrypto):
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
int main(int argc, char *argv[])
{
printf("%s\n", X509_get_default_cert_file());
return EXIT_SUCCESS;
}
[3]
<https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html>
Index: opensmtpd-6.8.0p2/usr.sbin/smtpd/smtpc.c
===================================================================
--- opensmtpd-6.8.0p2.orig/usr.sbin/smtpd/smtpc.c 2020-12-24 14:42:21.000000000 +0100
+++ opensmtpd-6.8.0p2/usr.sbin/smtpd/smtpc.c 2023-03-05 12:49:26.390962737 +0100
@@ -142,9 +142,8 @@
event_init();
ssl_ctx = ssl_ctx_create(NULL, NULL, 0, NULL);
- if (!SSL_CTX_load_verify_locations(ssl_ctx,
- X509_get_default_cert_file(), NULL))
- fatal("SSL_CTX_load_verify_locations");
+ if (!SSL_CTX_set_default_verify_paths(ssl_ctx))
+ fatal("SSL_CTX_set_default_verify_paths");
if (!SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()))
fatal("SSL_CTX_set_ssl_version");
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE , NULL);
