Re: git: e11bc4726338 - main - mail/opensmtpd: Use the correct OpenSSL idiom to load the trust store.
Date: Mon, 30 Oct 2023 08:48:33 UTC
On 2023-10-30 08:38, Pietro Cerutti wrote: > On Oct 27 2023, 09:16 UTC, Dag-Erling Smørgrav <des@FreeBSD.org> wrote: >> The branch main has been updated by des: >> >> URL: https://cgit.FreeBSD.org/ports/commit/? >> id=e11bc472633868a658ecbb8176b2b3ede4ae6e0d >> >> commit e11bc472633868a658ecbb8176b2b3ede4ae6e0d >> Author: Dag-Erling Smørgrav <des@FreeBSD.org> >> AuthorDate: 2023-10-27 09:16:29 +0000 >> Commit: Dag-Erling Smørgrav <des@FreeBSD.org> >> CommitDate: 2023-10-27 09:16:43 +0000 >> >> mail/opensmtpd: Use the correct OpenSSL idiom to load the trust store. >> >> Fixes: bde578cbfcf9 >> PR: 274322 >> MFH: 2023Q4 >> Approved by: fluffy >> Differential Revision: https://reviews.freebsd.org/D42123 > > Hi, thanks for working on this. I thought this would be enough to run > OpenSMTPD without ca_root_nss, but apparently that is not the case: > > I upgraded to 7.3.0_2,1, remove ca_root_nss, restarted smtpd, and got > > tls_config_set_ca_file: failed to open CA file '/etc/ssl/cert.pem': No > such file or directory Looking at: https://github.com/search?q=repo%3AOpenSMTPD%2FOpenSMTPD%20tls_default_ca_cert_file&type=code My assessment is that the code is logically wrong. It assumes that tls_default_ca_cert_file() always returns an existing file. I would expect that the caller tests for existence or the function returns NULL if the file does not exist. For my taste, there are too many assumptions here. Please do "touch ..." and see whether this works until the issue is fully resolved. M