[Libreoffice-commits] core.git: neon/neon.patch

Tor Lillqvist tml at iki.fi
Fri Mar 15 02:52:07 PDT 2013 

 neon/neon.patch |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

New commits:
commit 07073a198a644d67579a00984aae208c79c4f92f
Author: Tor Lillqvist <tml at iki.fi>
Date:   Fri Mar 15 11:22:04 2013 +0200

    Use the system root certificates in Neon's ne_ssl_trust_default_ca() on Win32
    
    Fixes a problem that was noticed when working on bnc#805901, which is about
    documents opened from WebDAV (using https) not being locked (in the WebDAV
    sense).
    
    For some reason, at least in the 3.6 branch, I noticed that LibreOffice did
    not manage to open any connection to the WebDAV server. The error message
    "Server error message: Server certificate verification failed: issuer is not
    trusted" was displayed.
    
    Turning on Neon logging I saw the OpenSSL error code 19
    (X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) passing by.
    
    Some googling turned up
    http://stackoverflow.com/questions/4103472/ssl-handshake-fails-with-a-verisign-chain-certificate-that-contains-two-ca-s
    . If I understand correctly, root certificates (which are the final ones in a
    certificate chain) are by definition self-signed.
    
    One can try this on Linux (or even on Windows, using the openssl command built
    as part of the LibreOffice built):
    
    openssl s_client -connect vibe.novell.com:443 -showcerts
    
    and see that it also displays a message about this "error": "verify
    error:num=19:self signed certificate in certificate chain"
    
    One can get around that by passing the -CApath option:
    
    openssl s_client -connect vibe.novell.com:443 -showcerts -CApath /etc/ssl/certs
    
    on Linux. There is no corresponding directory with trusted certificates as
    files on Windows.
    
    This tells OpenSSL where to find a list of trusted root certificates.
    Apparently when OpenSSL is used by LibreOffice it does not use the list of
    trusted root certificates that Windows knows automatically. This patch makes
    it do that when ne_ssl_trust_default_ca() is called.
    
    Change-Id: Iddbd3d61413aa52adbed3f9a0239a364e70668d8
    Reviewed-on: https://gerrit.libreoffice.org/2741
    Reviewed-by: Fridrich Strba <fridrich at documentfoundation.org>
    Tested-by: Fridrich Strba <fridrich at documentfoundation.org>

diff --git a/neon/neon.patch b/neon/neon.patch
index 21e66d9..95d6b55 100644
--- a/neon/neon.patch
+++ b/neon/neon.patch
@@ -373,3 +373,51 @@
  
  /* Returns non-zero if library is built with support for the given
   * NE_FEATURE_* feature code 'code'. */
+--- src/ne_openssl.c
++++ src/ne_openssl.c
+@@ -41,6 +41,13 @@
+ #include <pthread.h>
+ #endif
+ 
++#ifdef WIN32
++#define X509_NAME WIN32_X509_NAME
++#include <windows.h>
++#include <wincrypt.h>
++#undef X509_NAME
++#endif
++
+ #include "ne_ssl.h"
+ #include "ne_string.h"
+ #include "ne_session.h"
+@@ -798,6 +798,31 @@
+     X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL);
+ #else
+     X509_STORE_set_default_paths(store);
++#ifdef WIN32
++    {
++	HCERTSTORE hStore;
++	PCCERT_CONTEXT pContext = NULL;
++	X509 *x509;
++
++	hStore = CertOpenSystemStore(0, "ROOT");
++	if (hStore)
++	{
++	    while (pContext = CertEnumCertificatesInStore(hStore, pContext))
++	    {
++		x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
++		if (x509)
++		{
++		    X509_STORE_add_cert(store, x509);
++		    X509_free(x509);
++		}
++	    }
++	}
++
++	CertFreeCertificateContext(pContext);
++	CertCloseStore(hStore, 0);
++    }
++#endif
++
+ #endif
+ }
+

More information about the Libreoffice-commits mailing list