Re: SSL is broken on FreeBSD
Istv獺n wrote:
> FreeBSD ships OpenSSL but it is broken because there is no CA
No. List of trusted CA is list of CAs that you trust to.
It is related to policies of particular CA, the law in the country where
the CA operates, the overall reputation of such CA - and your personal
preferences and paranoia level.
Only you personally can decide what CA is "trustful CA" for you.
Of course, you can accept a list created by someone else if you wish -
you mentioned the security/ca_root_nss
But it's still your personal decision.
Yes, someone's else list may not contain some CAs that you classified as
trusted - and, worse, it may contain some CAs you doesn't consider
trustable. It's your risk when adopting list form an external source and
you should not adopt such kind of list blindly unless the security is
"unimportant" for you.
But back to your problem - the FreeBSD contain NO list of trusted CA and
it SHOULD NOT contain one.
The port security/ca_root_nss is NOT part of operating system - if you
want to change it you need to ask it's author. Or use list prepared by
someone else. Or prepare own list (it's most secure way).
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 42 篇):