SSL is broken on FreeBSD
Hi folks,
Could somebody explain to me how is it possible to ship an operating system
without testing basic functionality like SSL working? Unfortunately the
problem is still there after installing the following port:
/usr/ports/security/ca_root_nss
http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22
<http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22>About
1,490 results (0.14 seconds)
openssl s_client -connect 72.21.203.148:443 </dev/null | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
notBefore=Oct 8 00:00:00 2010 GMT
notAfter=Oct 7 23:59:59 2013 GMT
FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is
like shipping a car without wheels, I suppose.
Is there a reason to do this?
How much effort would be to ship a complete SSL stack, including the root
CAs, just like any other vendor/community does?
Thanks.
I.
--
the sun shines for all
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 42 篇):