From owner-freebsd-questions@FreeBSD.ORG Mon Aug 16 14:00:34 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A1881065698 for ; Mon, 16 Aug 2010 14:00:34 +0000 (UTC) (envelope-from mla_strick@att.net) Received: from smtp127.sbc.mail.sp1.yahoo.com (smtp127.sbc.mail.sp1.yahoo.com [69.147.65.186]) by mx1.freebsd.org (Postfix) with SMTP id 4AB6A8FC1C for ; Mon, 16 Aug 2010 14:00:34 +0000 (UTC) Received: (qmail 43895 invoked from network); 16 Aug 2010 14:00:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1281967233; bh=wn6d4lF6YveDPC0Eose9EmUG9GuHDBz4K1D0ydyaYEg=; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Received:Received:Date:From:Message-Id:To:Subject:Cc; b=DnlfuslPreMtkqxDRHTIK1+rpJXQY0N0LolAHJtoV75p5d6Hb1UCluIAkBgysVTDlitVQZdMd/RndHQOudkYGjBRNhPlK+2VG9knffNu/ks4ezWLVMamdllOl9gn0a7UuWXoPaxy+GIWYXNq/cB/ke8dwFQVKbr7sGkV+DcDGwI= Received: from mist.nodomain (mla_strick@69.228.91.73 with login) by smtp127.sbc.mail.sp1.yahoo.com with SMTP; 16 Aug 2010 07:00:33 -0700 PDT X-Yahoo-SMTP: ppEzeiKswBBq7wHVNDEiPbPsAwzyGELyRI8IdiDYGqsxaD5uQA-- X-YMail-OSG: M4nvC3AVM1kASajoUVNpqDy.RdCZ2RZh_O29PaL4mvWmQw4 5fNUapENEF5nRGA.BFiCPTgTVIesMNsFg2EKSqCidCLINUd277WbXK4PQDBr qcOh4SOi2kpvxLcKea9jcJqHl71IvteWSROHKjGLwKlSsiTR8Rb4eg0M7O4V j5tpYQY77N_V09ftdB21luxsxOpeA.JfU2jAu9_qe85ZvdxXg9YHEuJLg3_D JEr.IBkZnL6mWR6bt0Pfvnn3eawgf4sMlg9_jf3dX2W1s6vqTgZJpd7Z_x3F 6xD._aDu0 X-Yahoo-Newman-Property: ymail-3 Received: from mist.nodomain (localhost [127.0.0.1]) by mist.nodomain (8.14.4/8.14.4) with ESMTP id o7GE0UDk002706; Mon, 16 Aug 2010 07:00:32 -0700 (PDT) (envelope-from mla@mist.nodomain) Received: (from dan@localhost) by mist.nodomain (8.14.4/8.14.4/Submit) id o7GE0UKZ002705; Mon, 16 Aug 2010 07:00:30 -0700 (PDT) (envelope-from mla) Date: Mon, 16 Aug 2010 07:00:30 -0700 (PDT) From: Dan Strick Message-Id: <201008161400.o7GE0UKZ002705@mist.nodomain> To: freebsd-questions@freebsd.org Cc: mla@mist.nodomain Subject: Re: fetchmail ssl certificate verification problem in FreeBSD 8.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Aug 2010 14:00:34 -0000 On Mon, 16 Aug 2010 01:57, RW wrote: > You'd be better off installing security/ca_root_nss otherwise you'll be > stuck with a stale file. > > I don't know why you don't have it, it's a dependency of fetchmail and > many other ports. I had it but I didn't know it. I did discover the file it installed, /usr/local/share/certs/ca-root-nss.crt, and started to use it for fetchmail in place of the file from my old FreeBSD system. After I read the above note from RW I figured out it referred to a port, that I had the port, that it was a dependency of fetchmail and had been installed and was probably the source of the file /usr/local/share/certs/ca-root-nss.crt. Erik Norgaard also mentioned the port but I didn't understand at the time that he was referring to a port. He also mentioned the file /usr/src/crypto/openssl/FAQ which very briefly discusses the issue and mentions http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html which describes a mechanism for constructing a root certificate bundle from some obscure data file apparently produced by the Mozilla project, but of course I lacked the background to understand these things at the time. I still don't understand them very well. The relevant user options in my .fetchmailrc file are now: ssl sslproto SSL3 sslcertck sslcertfile /usr/local/share/certs/ca-root-nss.crt sslfingerprint "..." Perhaps since fetchmail installs ca_root_nss as a dependency it should also default to using the installed ca root bundle file. Perhaps the fetchmail port should have produced an installation message that mentioned these things. Perhaps the port should patch the fetchmail man page to suggest using this file with the sslcertfile option. I have looked very very hard for documentation on this stuff in an obvious place but have not found any. Where should I have looked? Thanks, Dan Strick mla_strick at att.net