[PATCH] Use the system root certificates in Neon's ne_ssl_trust_defa...
Tor Lillqvist (via Code Review)
gerrit at gerrit.libreoffice.org
Fri Mar 15 02:31:28 PDT 2013
Hi,
I have submitted a patch for review:
https://gerrit.libreoffice.org/2741
To pull it, you can do:
git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/41/2741/1
Use the system root certificates in Neon's ne_ssl_trust_default_ca() on Win32
Fixes a problem that was noticed when working on bnc#805901, which is about
documents opened from WebDAV (using https) not being locked (in the WebDAV
sense).
For some reason, at least in the 3.6 branch, I noticed that LibreOffice did
not manage to open any connection to the WebDAV server. The error message
"Server error message: Server certificate verification failed: issuer is not
trusted" was displayed.
Turning on Neon logging I saw the OpenSSL error code 19
(X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) passing by.
Some googling turned up
http://stackoverflow.com/questions/4103472/ssl-handshake-fails-with-a-verisign-chain-certificate-that-contains-two-ca-s
. If I understand correctly, root certificates (which are the final ones in a
certificate chain) are by definition self-signed.
One can try this on Linux (or even on Windows, using the openssl command built
as part of the LibreOffice built):
openssl s_client -connect vibe.novell.com:443 -showcerts
and see that it also displays a message about this "error": "verify
error:num=19:self signed certificate in certificate chain"
One can get around that by passing the -CApath option:
openssl s_client -connect vibe.novell.com:443 -showcerts -CApath /etc/ssl/certs
on Linux. There is no corresponding directory with trusted certificates as
files on Windows.
This tells OpenSSL where to find a list of trusted root certificates.
Apparently when OpenSSL is used by LibreOffice it does not use the list of
trusted root certificates that Windows knows automatically. This patch makes
it do that when ne_ssl_trust_default_ca() is called.
Change-Id: Iddbd3d61413aa52adbed3f9a0239a364e70668d8
---
M neon/neon.patch
1 file changed, 48 insertions(+), 0 deletions(-)
diff --git a/neon/neon.patch b/neon/neon.patch
index 21e66d9..95d6b55 100644
--- a/neon/neon.patch
+++ b/neon/neon.patch
@@ -373,3 +373,51 @@
/* Returns non-zero if library is built with support for the given
* NE_FEATURE_* feature code 'code'. */
+--- src/ne_openssl.c
++++ src/ne_openssl.c
+@@ -41,6 +41,13 @@
+ #include <pthread.h>
+ #endif
+
++#ifdef WIN32
++#define X509_NAME WIN32_X509_NAME
++#include <windows.h>
++#include <wincrypt.h>
++#undef X509_NAME
++#endif
++
+ #include "ne_ssl.h"
+ #include "ne_string.h"
+ #include "ne_session.h"
+@@ -798,6 +798,31 @@
+ X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL);
+ #else
+ X509_STORE_set_default_paths(store);
++#ifdef WIN32
++ {
++ HCERTSTORE hStore;
++ PCCERT_CONTEXT pContext = NULL;
++ X509 *x509;
++
++ hStore = CertOpenSystemStore(0, "ROOT");
++ if (hStore)
++ {
++ while (pContext = CertEnumCertificatesInStore(hStore, pContext))
++ {
++ x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
++ if (x509)
++ {
++ X509_STORE_add_cert(store, x509);
++ X509_free(x509);
++ }
++ }
++ }
++
++ CertFreeCertificateContext(pContext);
++ CertCloseStore(hStore, 0);
++ }
++#endif
++
+ #endif
+ }
+
--
To view, visit https://gerrit.libreoffice.org/2741
To unsubscribe, visit https://gerrit.libreoffice.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iddbd3d61413aa52adbed3f9a0239a364e70668d8
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: master
Gerrit-Owner: Tor Lillqvist <tml at iki.fi>
More information about the LibreOffice
mailing list