reverting recent SSL-related patches
rea at codelabs.ru
Mon Jan 12 00:12:32 GMT 2015
Nicolas, good day.
Sun, Jan 11, 2015 at 12:08:52AM +0100, Nicolas Sebrecht wrote:
> Merge branch 'ns/fix-fingerprint' into next
> Merge commit for the reverted patches.
> I decided to revert the SSL-related patches introduced in the last release
> candidate v6.5.7-rc1 :
> - 81848628 "Add support for OS-specific CA bundle locations"
> - 0a569bea "Add default CA bundle location for DragonFlyBSD"
> - 716a6f47 "Add OpenBSD default CA certificates file location"
> The cause is that they introduced a regression: the fingerprint option alone is
> not working anymore. Such configuration fails on a bad certificate (the one
> provided by the default locations).
I have a fix for this in my "next" since today. It basically inhibits
usage of OS-default CA bundle if cert_fingerprint is configured.
I am not against pruning these patches from "master", since the
stability of a branch from which -RC and releases are carved is vital.
But I don't see much point in removing them from "next" apart from
potential problems of merge conflicts. But since we're in the release
cycle, changes from "next" are really meant to be cherry-picked and
applied to "master" with manual control, unless I am terribly missing
the whole release engineering process.
I also have 4 more patches to apply to the current "next", so with
cert_fingerprint/sslcacertfile fix this will be five:
It works for me both if repository has sslcacertfile and if only
cert_fingerprint is configured and OS-default CA bundle is present.
Basically, first and last commits are most interesting ones
won't apply cleanly without
since it was the way the fix was developed: it is terribly hard
to work with non-original tracebacks ;)
Edd, if you will be able to test this, it will be very good.
More information about the OfflineIMAP-project