Re: SSL is broken on FreeBSD

On Sat, Apr 02, 2011 at 12:42:04AM +0200, Roberto Nunnari wrote:
> Istv??n wrote:
> >work:
> >
> > without the following error => "verify error:num=20:unable to get local
> >issuer certificate"
> 
> Hi.
> It works for me if you correct the sed command and suppress sdterr..

Well, I cleaned that up, too.

That you got this same command to work implies you have a different
set of CAs than I.

His point (someone please correct me, if neccessary) is that without
what he considers a reasonable set of trusted CAs in place, SSL under
FreeBSD is 'broken'.

I interpret this thread now to be a debate of terms 'reasonable'
and 'trusted', and further, who's responsibility is it to populate
that list of CAs on his machine.

> $ uname -rms
> FreeBSD 6.4-RELEASE-p8 i386
> $ openssl s_client -connect 72.21.203.148:443 2>/dev/null < /dev/null | 
> sed -ne /-BEGIN\ CERTIFICATE-/,/-END\ CERTIFICATE-/p |openssl x509 
> -noout -subject -dates
> subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
> notBefore=Oct  8 00:00:00 2010 GMT
> notAfter=Oct  7 23:59:59 2013 GMT
> 
> So, it seems to be just a RexExp error..
> 
> Best regards.
> Robi

-- 
Brian Reichert				<reichert@numachi.com>
BSD admin/developer at large	
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"