Re: SSL is broken on FreeBSD


On Tue, Apr 5, 2011 at 5:30 PM, Frank J. Cameron <cameron@ctc.com> wrote:
>> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
>> be used by the ''openssl s_client" command by default (without -CAfile
>> command line argument).
>
> http://curl.haxx.se/mail/archive-2003-07/0036.html
> =A0 =A0 =A0 =A0Unfortunately, the information about this is not in the cu=
rrent
> =A0 =A0 =A0 =A0OpenSSL documentation. You have to read the source code or
> =A0 =A0 =A0 =A0see discussion about it in the openssl-dev mailing list.
> =A0 =A0 =A0 =A0There is a reference to the X509_get_default_cert_file and
> =A0 =A0 =A0 =A0X509_get_default_cert_file_env in the obsolete ssleay.txt =
file
> =A0 =A0 =A0 =A0in
> =A0 =A0 =A0 =A0the OpenSSL document directory, but that is about it. The =
only
> =A0 =A0 =A0 =A0references that I know to the SSL_CERT_FILE and SSL_CERT_D=
IR
> =A0 =A0 =A0 =A0environment variables (other than in the source code itsel=
f)
> =A0 =A0 =A0 =A0are
> =A0 =A0 =A0 =A0in the old "SSLeay and SSLapps FAQ" which is not distribut=
ed
> =A0 =A0 =A0 =A0with
> =A0 =A0 =A0 =A0OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypt=
o/").
> =A0 =A0 =A0 =A0See some correspondence about these defaults in the openss=
l-dev
> =A0 =A0 =A0 =A0mailing list in a thread started by me in December 2002
> =A0 =A0 =A0 =A0(with a fix for the code by Richard Levitte and Rich Salz)=
:
> =A0 =A0 =A0 =A0"http://marc.theaimsgroup.com/?l=3Dopenssl-dev&m=3D1038990=
56011520"
>
> =A0 =A0 =A0 =A0The default name for the ca cert bundle is defined in
> =A0 =A0 =A0 =A0crypto/cryptlib.h, as are the environment variables
> =A0 =A0 =A0 =A0SSL_CERT_FILE and SSL_CERT_DIR.
>
> http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptli=
b.h
> =A0 =A0 =A0 =A0#define X509_CERT_FILE =A0 =A0 =A0 =A0 =A0OPENSSLDIR "/cer=
t.pem"
>
> http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile
> =A0 =A0 =A0 =A0OPENSSLDIR=3D/usr/local/ssl
>
FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL
as part of a buildworld, instead we use our own custom Makefiles in
secure/lib/libcrypto.  The only place where OPENSSLDIR is defined is
in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h

http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-am=
d64.h?revision=3D194207&view=3Dmarkup

#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#define ENGINESDIR "/usr/lib/engines"
#define OPENSSLDIR "/etc/ssl"
#endif
#endif

> So, should the port be linking?:
>        /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
>
The port is creating the correct link for the base install of openssl.

Scotr
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"