On Mon, 2005-04-25 at 15:55 +0100, Joe Orton wrote: > On Sat, Apr 23, 2005 at 09:04:54AM -0400, David Hollis wrote: > > On Fri, 2005-04-22 at 20:07 +0200, Thomas Zehetbauer wrote: > > > Today's rawhide update broke my postfix's smtp over ssl capability. > > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/usr/share/ssl/certs/ca-bundle.crt','r'): > > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107: > > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: > > > postfix/smtpd[8117]: connect from localhost[127.0.0.1] > > > postfix/smtpd[8117]: Could not allocate 'TLScontext->con' with SSL_new() > > > postfix/smtpd[8117]: warning: TLS library problem: 8117:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:231: > > > postfix/smtpd[8117]: lost connection after CONNECT from localhost[127.0.0.1] > > > postfix/smtpd[8117]: disconnect from localhost[127.0.0.1] > > > > The latest OpenSSL packages moved all of the certs/keys to /etc/pki. In > > your postfix config, change the path to the ca-bundle to > > be /etc/pki/tls/certs and you should be all set. > > No application should contain hard-coded references to the ca-bundle.crt > filename in the first place, they should obtain it at run-time via > X509_get_default_cert_file() or if possible just use > SSL_CTX_set_default_verify_paths() - can you file bugs on that? > There may be cases where the user/app does not want to use the bundled CA, but would rather use a locally generated one, or the like. By default, the bundled apps should probably point at the one installed with openssl so that things can "Just Work". -- David Hollis <dhollis@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part