Re: SSL is broken on FreeBSD
On 04/06/11 00:30, Frank J. Cameron:
> The default name for the ca cert bundle is defined in
> crypto/cryptlib.h, as are the environment variables
> SSL_CERT_FILE and SSL_CERT_DIR.
May be. But as far as I know those variables doesn't affect the s_client
application.
> So, should the port be linking?:
> /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
Even in the case I'm not true and there IS "implicit -CApath" then my
answer to your question is "No".
1. Installation of ca-root-nss.crt doesn't mean it's installed for use
with openssl. So we should not affect the openssl behavior automatically.
2. Such link will affect all users of system. Decision "what CA is
trustful" should remain personal decision, not the system administrator
decision, by default. Installation of ca-root-nss should not hit all
users of system automatically.
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 35 之 42 篇):