Re: SSL is broken on FreeBSD

Hello!

On Fri, Apr 1, 2011 at 5:33 PM, Istv=E1n <leccine@gmail.com> wrote:
> Could somebody explain to me how is it possible to ship an operating syst=
em
> without testing basic functionality like SSL working? Unfortunately the
> problem is still there after installing the following port:
>
> /usr/ports/security/ca_root_nss
>
> openssl s_client -connect 72.21.203.148:443 </dev/null | ...

  Hmm, IMHO quite simple question (it's all about OpenSSL application
config) has caused such a big and not-so-relevant discussion (about OS
as a whole) ;) Actually, as I can see, just installing the ca_root_nss
port (even with ETCSYMLINK=3Don "Add symlink to /etc/ssl/cert.pem")
isn't enough for feeding installed .crt file to 'openssl s_client'
command:

dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null <
/dev/null |egrep '^[[:space:]]*Verify return code:'
    Verify return code: 20 (unable to get local issuer certificate)

dmitry@lynx$ openssl s_client -CAfile
/usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443
2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:'
    Verify return code: 0 (ok)

So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
be used by the ''openssl s_client" command by default (without -CAfile
command line argument). Alas, both openssl(1) and s_client(1) lack
FILES section so it's unclear whether default value for -CAfile can be
specified in some configuration file. Moreover, openssl(1) refers to
config(5), but 'man 5 config' tells about the FreeBSD kernel config,
not OpenSSL's one.

  But yes, installing security/ca_root_nss port _and_ specifying
'-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your
problem.

--=20
Sincerely, Dmytro
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"