[oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Sam Varshavchik mrsam at courier-mta.com
Mon May 7 13:06:52 CEST 2012

Nikos Mavrogiannopoulos writes:

> The initial idea was that applications know which certificates to
> trust, or which CAs to trust. For example I might trust verisign for
> web browsing but only my local CA for smtp.
> I still believe in the above, but for several applications it seems
> it may not make sense. Currently I like the part of the patch of Ludwig
> that introduces a gnutls_certificate_set_x509_system_trust(), but it
> doesn't set any defaults (because there don't exist in all systems).
> For that I'd like more input from the library users here. Are there
> standard practices in Linux distributions and other POSIX systems that
> would allow to deduce that there is a common trusted certificate bundle?

Debian installs /etc/ssl/certs/ca-certificates.crt. Fedora, and its  
derivations, (Red Hat, Cent-OS) have /etc/pki/tls/cert.pem installed.
FreeBSD has /usr/local/share/certs/ca-root-nss.crt

The standard practice on Fedora is to have applications configured or  
patched to use its default /etc/pki/tls/cert.pem certificate bundle.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20120507/7b6a1697/attachment.pgp>

More information about the Gnutls-help mailing list