Date: Fri, 1 Apr 2011 15:33:15 +0100 From: =?UTF-8?Q?Istv=C3=A1n?= <leccine@gmail.com> To: freebsd-security <freebsd-security@freebsd.org> Subject: SSL is broken on FreeBSD Message-ID: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi folks, Could somebody explain to me how is it possible to ship an operating system without testing basic functionality like SSL working? Unfortunately the problem is still there after installing the following port: /usr/ports/security/ca_root_nss http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22 <http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22>About 1,490 results (0.14 seconds) openssl s_client -connect 72.21.203.148:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 DONE subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com notBefore=Oct 8 00:00:00 2010 GMT notAfter=Oct 7 23:59:59 2013 GMT FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is like shipping a car without wheels, I suppose. Is there a reason to do this? How much effort would be to ship a complete SSL stack, including the root CAs, just like any other vendor/community does? Thanks. I. -- the sun shines for all
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R>