diff options
| author | Tor Lillqvist <tml@iki.fi> | 2013-03-15 11:22:04 +0200 |
|---|---|---|
| committer | Fridrich Strba <fridrich@documentfoundation.org> | 2013-03-15 09:51:47 +0000 |
| commit | 07073a198a644d67579a00984aae208c79c4f92f (patch) | |
| tree | 3836436ea95a3bf341ed4494270bf745b86fc233 /neon | |
| parent | 1d1712c350861cc90b305cb5533b2913b030f494 (diff) | |
Use the system root certificates in Neon's ne_ssl_trust_default_ca() on Win32
Fixes a problem that was noticed when working on bnc#805901, which is about
documents opened from WebDAV (using https) not being locked (in the WebDAV
sense).
For some reason, at least in the 3.6 branch, I noticed that LibreOffice did
not manage to open any connection to the WebDAV server. The error message
"Server error message: Server certificate verification failed: issuer is not
trusted" was displayed.
Turning on Neon logging I saw the OpenSSL error code 19
(X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) passing by.
Some googling turned up
http://stackoverflow.com/questions/4103472/ssl-handshake-fails-with-a-verisign-chain-certificate-that-contains-two-ca-s
. If I understand correctly, root certificates (which are the final ones in a
certificate chain) are by definition self-signed.
One can try this on Linux (or even on Windows, using the openssl command built
as part of the LibreOffice built):
openssl s_client -connect vibe.novell.com:443 -showcerts
and see that it also displays a message about this "error": "verify
error:num=19:self signed certificate in certificate chain"
One can get around that by passing the -CApath option:
openssl s_client -connect vibe.novell.com:443 -showcerts -CApath /etc/ssl/certs
on Linux. There is no corresponding directory with trusted certificates as
files on Windows.
This tells OpenSSL where to find a list of trusted root certificates.
Apparently when OpenSSL is used by LibreOffice it does not use the list of
trusted root certificates that Windows knows automatically. This patch makes
it do that when ne_ssl_trust_default_ca() is called.
Change-Id: Iddbd3d61413aa52adbed3f9a0239a364e70668d8
Reviewed-on: https://gerrit.libreoffice.org/2741
Reviewed-by: Fridrich Strba <fridrich@documentfoundation.org>
Tested-by: Fridrich Strba <fridrich@documentfoundation.org>
Diffstat (limited to 'neon')
| -rw-r--r-- | neon/neon.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/neon/neon.patch b/neon/neon.patch index 21e66d9a2a7a..95d6b55024b3 100644 --- a/neon/neon.patch +++ b/neon/neon.patch @@ -373,3 +373,51 @@ /* Returns non-zero if library is built with support for the given * NE_FEATURE_* feature code 'code'. */ +--- src/ne_openssl.c ++++ src/ne_openssl.c +@@ -41,6 +41,13 @@ + #include <pthread.h> + #endif + ++#ifdef WIN32 ++#define X509_NAME WIN32_X509_NAME ++#include <windows.h> ++#include <wincrypt.h> ++#undef X509_NAME ++#endif ++ + #include "ne_ssl.h" + #include "ne_string.h" + #include "ne_session.h" +@@ -798,6 +798,31 @@ + X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL); + #else + X509_STORE_set_default_paths(store); ++#ifdef WIN32 ++ { ++ HCERTSTORE hStore; ++ PCCERT_CONTEXT pContext = NULL; ++ X509 *x509; ++ ++ hStore = CertOpenSystemStore(0, "ROOT"); ++ if (hStore) ++ { ++ while (pContext = CertEnumCertificatesInStore(hStore, pContext)) ++ { ++ x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded); ++ if (x509) ++ { ++ X509_STORE_add_cert(store, x509); ++ X509_free(x509); ++ } ++ } ++ } ++ ++ CertFreeCertificateContext(pContext); ++ CertCloseStore(hStore, 0); ++ } ++#endif ++ + #endif + } + |