[precise] Too few certificate authorities listed after upgrade to 12.04

I just tested this in a VM, and evolution shows zero certificate authorities.

Unsurprisingly with 0 certificate authorities, said VM is prompted with the same 'Bad signature' dialog when trying to send mail to smtp.canonical.com.

Status changed to 'Confirmed' because the bug affects multiple users.

Added an evolution task as it isn't clear if it is evolution or nss that is the problem.

FYI, I also get the ssl cert dialog when connecting using IMAP.

I did get that dialog too.

I must still be missing something but now I got a little farther into looking up the certificates. It seems to be as though evolution is supposed to load built-in certs from NSS from the nssckbi.so file; which comes from /usr/lib/<triplet>/nss. Unfortunately, evolution uses nss's libdir directly to look for nssckbi, so it probably just looks for it in one directory too low (missing "/nss"). Seems like this is probably something that changed in NSS itself, but I'll first verify this with a test patch in evo.

This bug was fixed in the package evolution - 3.2.2-0ubuntu3

---------------
evolution (3.2.2-0ubuntu3) precise; urgency=low

  * debian/patches/nss-paths.patch: get evolution to look at the right place
    for nssckbi; to load built-in SSL certs. (LP: #911592)
 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 04 Jan 2012 11:52:56 -0500

Thanks for the fix Mathieu. I can confirm the evolution is working properly again.

Is the change something we need to fix in other places (or centrally in nss) or was it just evolution getting it wrong?

As far as I could tell it's just evolution doing it wrong -- we can certainly see firefox and chromium appear to be fine. I couldn't check curl simply (libcurl3-nss uses libnss3). I couldn't see a list of certificate authorities in Pidgin but deleting the certificates and disconnecting/reconnecting I saw them re-added and no pop-up telling me they couldn't be validated. I haven't looked at the other reverse-build-depends of libnss3-dev.

It seemed clear that the way of looking for nssckbi in evolution was "wrong", but I still need to check to be sure if it's debian-specific or general to have a libdir for the actual nss libraries and an extra directory nss/ under that libdir for the "modules" and nssckbi. Maybe there's a better way to fix this, but I can't think of how in nss (unless we were to start shipping an extra variable in nss.pc specifically for nssckbi's path).

In other words, to make this better we could ship an extra var in nss.pc for the nssckbi path, but it looks like it was just evolution affected here; there's more investigation needed to certain whether it's worth it. libdir itself can't really be changed, since it needs to point to the actual location of the nss libraries.

Let's mark this as 'Invalid' in nss for now. If needed, we can reopen. Thanks again Mathieu.

[I've tried to post this several times, and it keeps disappearing before I can commit. Apologies if it appears more than once.]

I seem to be having the same problem with Evolution 3.2.2-0ubuntu0.1 and libnss3 3.14.1-0ckbi1.93ubuntu.0.11.10.1 under Ubuntu 11.10. I'm not yet ready to upgrade to precise, so I'm wondering if there is any way to backport the fix.