Re: SSL is broken on FreeBSD
--/9DWx/yDrRhgMJTb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Apr 06, 2011 at 03:01:30AM +0200, Dan Lukes wrote:
> On 6.4.2011 2:15, Chuck Swiger:
> >>2. Such link will affect all users of system. Decision "what CA is trus=
tful" should remain personal decision, not the system administrator decisio=
n, by default
> >There are differences between your personal machine, for which you as an=
individual are welcome to make all of the decisions, and a managed box whi=
ch is owned by a company which might have a specific PKI infrastructure whi=
ch is needed for the machine to be usable for it's intended role.
>=20
> I has been network administrator in bank. Be sure that "instalation
> of a data pack" is very different task that "change security related
> behavior of program that may/will affect all users".
>=20
> In the environment you mentioned, e.g. company taking security
> questions seriously, the skilled administrator (and/or security
> officer) will evaluate the situation and will create the link that
> affect all users, if apropriate.
>=20
> It will not be interested in blind "automagic" change.
>=20
> As I said before. Instalation of CA bundle SHOULD NOT affect all
> users automatically. The "pkg_add" don't know who install such pack
> nor why such pack is installed for so it can't decide the answer.
>=20
This is a lost cause, Just to add another .02 bringing the total to
somewhere in the 100's.
If you truss the command above before and after creating so said links
in /usr/local/etc/ssl and in /etc/ssl youll see that there is no default
CAfile or CApath searched for.
s_client(1)
The s_client command implements a generic SSL/TLS client which
connects to a remote host using SSL/TLS. It is a very useful
diagnostic tool for SSL servers
[...]
Maybe there should be an emphasis on ``diagnostic''
Security is not something that should compromised by a default
configuration but something that should be taught by example for the
end-user if they so require it. So with that in mind it might not be
such a bad idea to add a "SSL The FreeBSD way." chapter to the handbook
that would assist in a security researchers final decision to implement
the correct changes they are looking for.
Food for thought.
--=20
Regards,
J. Hellenthal
JJH48-ARIN
0x89D8547E
--/9DWx/yDrRhgMJTb
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
Comment: http://bit.ly/0x89D8547E
iQEcBAEBAgAGBQJNm/4BAAoJEJBXh4mJ2FR+DCgH/1p3y3kXZYjEhaQqMIOZuQ/k
Kgx4xk9lmAxOPOYjagSo//tW+QGG1AIwy0e5rRheuT9vKXTlqAXaX1fBnG3YvjgP
rsqNIvIHjPOmKz2+oTZIOCJ4tGa8Wf/L4Gpyr5PIyObrhfkxxEF1yBNboZmxYbGu
xKrm9SzW3RQJY7tKDLTW3hCudSdJ7huyx17SA4DyxUmCeUIJ0jiBLXuFPsa4F4Y6
mRN00GL2jqspOHnEBXZ2gRT6rlBtR+x6DsfMXg5iW91alxtGMX3xD6feTvaCILKH
zlZradZa5QxdYolmnUEzRvDOjFyVKHUTawBBp0OGzuhxjlfiAkTLAT9dsX/7SS4=
=zKhM
-----END PGP SIGNATURE-----
--/9DWx/yDrRhgMJTb--
討論串 (同標題文章)
完整討論串 (本文為第 38 之 42 篇):