git send-email fails SSL certificate verification

The entire thread is at: https://<email address hidden>/msg42105.html

If I revert this change, or set smtpsslcertpath = '/etc/ssl/certs' in my .gitconfig, the issue goes away.

It sounds like you have some understanding of the problem, so I suggest pointing it out upstream (perhaps in reply to that thread).

This has been fixed in git 1:1.9.1-1

I am using git (1:1.9.1-0ppa1~precise1) here on Ubuntu/precise AMD64 and was not able to send a patch to linux-fsdevel via GoogleMail.

The above workaround helped me (for the sake of completeness the snippet from my dot-gitconfig):

[ ~/.gitconfig]
...
[sendemail]
        smtpserver = smtp.gmail.com
        smtpserverport = 587
        smtpencryption = tls
        smtpuser = <email address hidden>
        smtpsslcertpath = '/etc/ssl/certs'
...

Anders can you offer a backport, please. THX in advance.

Reading and verifying above bug-reports I have here in 'git-send-email.perl':

[ /usr/lib/git-core/git-send-email ]
...
sub ssl_verify_params {
...
        if (!defined $smtp_ssl_cert_path) {
                # use the OpenSSL defaults
                return (SSL_verify_mode => SSL_VERIFY_PEER());
...

So, the real problems seems to be to have a higher version of libio-socket-ssl-perl (here on precise: 1.53-1).

From git (1.9.1-1) changelog:
...
  [ Jonathan Nieder ]
  * git-email: Recommends: libio-socket-ssl-perl (>= 1.951) since
    earlier versions do not use OpenSSL's defaults when ca_path
    and ca_file are unset.
...

- Sedat -

The only difference between 1.9.1-0ppa1~precise1 and 1.9.1-1 is that 1.9.1-1 recommends libio-socket-ssl-perl (>= 1.951). The changelog for IO::Socket::SSL lists:

1.951 2013/7/3
- better document builtin defaults for key,cert,CA and how they are depreceated
- use Net::SSLeay::CTX_set_default_verify_paths to use openssl's builtin
  defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins
  used)

Precise’s libio-socket-ssl-perl is too old, and I’m not going to add a newer one to the PPA because it could have unforeseen effects on packages other than Git.

What is your suggestion?
Fix local/global gitconfig?

Or revert that change?
...
- $smtp_ssl_cert_path = "/etc/ssl/certs";
+ # use the OpenSSL defaults
+ return (SSL_verify_mode => SSL_VERIFY_PEER());
...

I can understand your concerns in case of a higher version of libio-socket-ssl-perl, but a user-friendly solution would be kind for git-precise-ppa users.

I’m pushing 1:1.9.1-1~ppa0~precise2 with that change reverted to the candidate PPA:
  https://launchpad.net/~git-core/+archive/candidate
Sedat, once it builds (should be within two hours or so), can you let me know if it works for you?

Without the smtpsslcertpath-line in my local ~/.gitconfig and the new git-core packages everything works like expected.

[ /etc/apt/sources.list.d/git-core-candidate-precise.list ]
       deb http://ppa.launchpad.net/git-core/candidate/ubuntu precise main
deb-src http://ppa.launchpad.net/git-core/candidate/ubuntu precise main

$ dpkg -l | grep git-core
ii git-core 1:1.9.1-1~ppa0~precise2 fast, scalable, distributed revision control system (obsolete)

Hmm, your changelog has no reference to this bug-no.
And I would name the Ubuntu package libio-socket-ssl-perl instead of IO::Socket::SSL.

[ Snip ]
  * Revert commit v1.8.5.5~5^2 (send-email: /etc/ssl/certs/ directory may
    not be usable as ca_path), which requires IO::Socket::SSL 1.951, and
    remove the associated versioned Recommends.
[Snap]