Remove outdated ca-bundle.crt and use system default #116

default/Makefile.am

@@ -27,7 +27,6 @@ nobase_nodist_default_DATA = \
 	list_aliases.tt2
 nobase_default_DATA = \
 	auth.conf \
-	ca-bundle.crt \
 	charset.conf \
 	crawlers_detection.conf \
 	create_list.conf \

src/lib/Conf.pm

@@ -825,21 +825,6 @@ sub checkfiles {
         }
     }
 
-    ## Check cafile and capath access
-    if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
-        unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
-            $log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
-            $config_err++;
-        }
-    }
-
-    if (defined $Conf{'capath'} && $Conf{'capath'}) {
-        unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
-            $log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
-            $config_err++;
-        }
-    }
-
     # Check if directory parameters point to the same directory.
     my @keys = qw(bounce_path etc home
         queue queueauth queuebounce queuebulk queuedigest
@@ -1907,12 +1892,6 @@ sub _infer_server_specific_parameter_values {
 
     $param->{'config_hash'}{'robot_name'} = '';
 
-    unless ((defined $param->{'config_hash'}{'cafile'})
-        || (defined $param->{'config_hash'}{'capath'})) {
-        $param->{'config_hash'}{'cafile'} =
-            Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
-    }
-
     unless (
         Sympa::Tools::Data::smart_eq(
             $param->{'config_hash'}{'dkim_feature'}, 'on'

src/lib/Makefile.am

@@ -58,7 +58,6 @@ nobase_modules_DATA = \
 	Sympa/DatabaseManager.pm \
 	Sympa/Datasource.pm \
 	Sympa/Family.pm \
-	Sympa/Fetch.pm \
 	Sympa/HTML/FormatText.pm \
 	Sympa/HTMLDecorator.pm \
 	Sympa/HTMLSanitizer.pm \

src/lib/Sympa/DatabaseDriver/LDAP.pm

@@ -81,19 +81,6 @@ sub _connect {
             $log->syslog('err', 'Can\'t load IO::Socket::SSL');
             return undef;
         }
-
-        # Earlier releases of IO::Socket::SSL would fallback SSL_verify_mode
-        # to SSL_VERIFY_NONE when there are no usable CAfile nor CApath.
-        # However, recent releases won't: They simply deny connection.
-        # As a workaround, make ca_file or ca_path parameter mandatory unless
-        # "none" is explicitly assigned to ca_verify parameter.
-        unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
-            unless ($self->{ca_file} or $self->{ca_path}) {
-                $log->syslog('err',
-                    'Neither ca_file nor ca_path parameter is specified');
-                return undef;
-            }
-        }
     }
 
     # new() with multiple alternate hosts needs perl-ldap >= 0.27.
@@ -105,8 +92,8 @@ sub _connect {
             : ($self->{ca_verify} eq 'required') ? 'require'
             :                                      $self->{ca_verify}
         ),
-        capath     => $self->{'ca_path'},
-        cafile     => $self->{'ca_file'},
+        ($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
+        ($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
         sslversion => $self->{'ssl_version'},
         ciphers    => $self->{'ssl_ciphers'},
         clientcert => $self->{'ssl_cert'},
@@ -132,8 +119,8 @@ sub _connect {
                 : ($self->{ca_verify} eq 'required') ? 'require'
                 :                                      $self->{ca_verify}
             ),
-            capath     => $self->{'ca_path'},
-            cafile     => $self->{'ca_file'},
+            ($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
+            ($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
             sslversion => $self->{'ssl_version'},
             ciphers    => $self->{'ssl_ciphers'},
             clientcert => $self->{'ssl_cert'},