From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 14:59:38 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32EF51065678 for ; Fri, 1 Apr 2011 14:59:38 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id B652E8FC22 for ; Fri, 1 Apr 2011 14:59:37 +0000 (UTC) Received: by bwz12 with SMTP id 12so3155852bwz.13 for ; Fri, 01 Apr 2011 07:59:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=fgOK3Uxw8OIzRvrjFdDgXurEG3vGosHs9u1AZDaA190=; b=WdEYIP+8ipCmphF7iqk4ufyjZQ+uES6h2OiuwSVFhqXvK/6WKY0LtYx2unBQ/34fYe OrVhPbfah1jTGWU1NrTyUr5X/WR+ii7rVB0V32kNMCRxVhi5IzrjsblfO+DpF+rOoP4Y +pePDkAfTDb0qXguQxHsa8YRrUcaWiJQWv6SI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hetBtYdeA5LNgjSv8eNGbaD7De/BqsVZHfRDc3z2iYZcEkribGBDCYXlvocLNkpC1V Bu75mogQQ3VZ1rytb+kLxLr9dJRb1MpqECyfOva9GglSSI9F/O+p6X3w7mRUy+ISB2qf 9Sr/sjRBkAt5P8f9EPtsJmM9bTydzhhxxEXA4= MIME-Version: 1.0 Received: by 10.204.151.207 with SMTP id d15mr359412bkw.123.1301668395789; Fri, 01 Apr 2011 07:33:15 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 07:33:15 -0700 (PDT) Date: Fri, 1 Apr 2011 15:33:15 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: freebsd-security Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 14:59:38 -0000 Hi folks, Could somebody explain to me how is it possible to ship an operating system without testing basic functionality like SSL working? Unfortunately the problem is still there after installing the following port: /usr/ports/security/ca_root_nss http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22 About 1,490 results (0.14 seconds) openssl s_client -connect 72.21.203.148:443 Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B2181065679 for ; Fri, 1 Apr 2011 15:19:48 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from fw.ax.cz (unknown [IPv6:2a00:1aa8:1:1000::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8D0528FC1E for ; Fri, 1 Apr 2011 15:19:47 +0000 (UTC) Received: from [127.0.0.1] (fw.ax.cz [77.240.99.126]) by fw.ax.cz (8.14.4/8.14.3) with ESMTP id p31FJhqU004426; Fri, 1 Apr 2011 17:19:45 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4D95ECAA.20406@obluda.cz> Date: Fri, 01 Apr 2011 17:18:02 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110320 SeaMonkey/2.0.13 MIME-Version: 1.0 To: =?UTF-8?B?SXN0dsOhbg==?= References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 110401-0, 01.04.2011), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 15:19:48 -0000 István wrote: > FreeBSD ships OpenSSL but it is broken because there is no CA No. List of trusted CA is list of CAs that you trust to. It is related to policies of particular CA, the law in the country where the CA operates, the overall reputation of such CA - and your personal preferences and paranoia level. Only you personally can decide what CA is "trustful CA" for you. Of course, you can accept a list created by someone else if you wish - you mentioned the security/ca_root_nss But it's still your personal decision. Yes, someone's else list may not contain some CAs that you classified as trusted - and, worse, it may contain some CAs you doesn't consider trustable. It's your risk when adopting list form an external source and you should not adopt such kind of list blindly unless the security is "unimportant" for you. But back to your problem - the FreeBSD contain NO list of trusted CA and it SHOULD NOT contain one. The port security/ca_root_nss is NOT part of operating system - if you want to change it you need to ask it's author. Or use list prepared by someone else. Or prepare own list (it's most secure way). Dan From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 15:40:20 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A7E210656D0 for ; Fri, 1 Apr 2011 15:40:20 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 094A58FC0A for ; Fri, 1 Apr 2011 15:40:19 +0000 (UTC) Received: by eyg7 with SMTP id 7so1167405eyg.13 for ; Fri, 01 Apr 2011 08:40:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/+BlngWLSqqMvEYGFkuW4Bi88I4IqLmfYtUiS/qqDh8=; b=begPMVIe3kJTtoNsSWIA0fXzB4sC8shD/lzaMdWYDIld9Q8sBhGWAJqCr9NjIBJhoB lSe7162cbtVuwmKTnUameNJkqXNcUXyZ5+9AghCHwfpqSBI6Ih4HRhKq+dDYXw3rqw1s 7SUxGcNpdByWXeFwjcIW1Z4HzagG5Tkr6NRaw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=N4xqQ6+h66QCWkFs//Fc1VHBw8aPZEOBZKnzIdzjuIRikkNk38uzwLp3toQvTx0LuT qoMoQ0mV5YIEnFwerjaqw6uEijM02rdIMxGgSI0Bw4e1u7AcfKgOP443fcecgYi57jqf ThM4i5K46e69zH/3OpmbHn03J51j4jvApTGt4= MIME-Version: 1.0 Received: by 10.213.21.194 with SMTP id k2mr2466566ebb.18.1301670846218; Fri, 01 Apr 2011 08:14:06 -0700 (PDT) Received: by 10.213.114.135 with HTTP; Fri, 1 Apr 2011 08:14:06 -0700 (PDT) Received: by 10.213.114.135 with HTTP; Fri, 1 Apr 2011 08:14:06 -0700 (PDT) In-Reply-To: References: Date: Fri, 1 Apr 2011 11:14:06 -0400 Message-ID: From: matt donovan To: =?ISO-8859-1?B?SXN0duFu?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 15:40:20 -0000 Sounds like your openssl is broken it works just fine for me gets gmail certificate On Apr 1, 2011 11:01 AM, "Istv=E1n" wrote: > Hi folks, > > Could somebody explain to me how is it possible to ship an operating system > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > > http://www.google.com/search?q=3D%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3= Aunable+to+get+local+issuer+certificate%22 > > < http://www.google.com/search?q=3D%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3= Aunable+to+get+local+issuer+certificate%22 >About > 1,490 results (0.14 seconds) > openssl s_client -connect 72.21.203.148:443 CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates > > depth=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTer= ms of use at > https://www.verisign.com/rpa (c)09/CN=3DVeriSign Class 3 Secure Server CA= - G2 > verify error:num=3D20:unable to get local issuer certificate > verify return:0 > DONE > subject=3D /C=3DUS/ST=3DWashington/L=3DSeattle/O=3DAmazon.com Inc./CN=3D s3.amazonaws.com > notBefore=3DOct 8 00:00:00 2010 GMT > notAfter=3DOct 7 23:59:59 2013 GMT > > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is > like shipping a car without wheels, I suppose. > > Is there a reason to do this? > > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does? > > Thanks. > > I. > > -- > the sun shines for all > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g " From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 15:14:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 407AF1065675; Fri, 1 Apr 2011 15:14:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id EEE8D8FC0A; Fri, 1 Apr 2011 15:14:50 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 14B0225D3857; Fri, 1 Apr 2011 15:14:49 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 44143159C12B; Fri, 1 Apr 2011 15:14:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id iK-iJ-v-dI-V; Fri, 1 Apr 2011 15:14:48 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 0ACC8159C0EB; Fri, 1 Apr 2011 15:14:48 +0000 (UTC) Date: Fri, 1 Apr 2011 15:14:47 +0000 (UTC) From: "Bjoern A. Zeeb" To: freebsd-security@freebsd.org Message-ID: X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Fri, 01 Apr 2011 15:44:40 +0000 Subject: on "BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 15:14:51 -0000 Hi, as some IPSec users might be worried about the "BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload" from http://seclists.org/fulldisclosure/2011/Apr/0 , here's some braindump: To be affected it's believed that you need to 1) manually compile in IPSEC (not done in GENERIC or the release), 2) have an entry for ipcomp in your security associations. You may also want to check what you negotiate with trusted peers if you use IKE. 3) an attacker needs to know the endpoint addresses (and the CID) to send you a nastygram. 4) if you require an outer ESP between peers, it's a matter of how much you trust your peer. FreeBSD will not panic, you may however be able to "store" packets in the network stack for IPv4 and see the netstat -s -p ipcomp packets in counter go up quickly. IPv6 has a net.inet6.ip6.hdrnestlimit of 15 by default and will throw away the packet after that many iterations. A mitigation change for the directly recursive case was just committed to HEAD: http://svn.freebsd.org/viewvc/base?view=revision&revision=220247 Similar patches for other branches (untested) are available: HEAD and STABLE/8 (include the V_irtualization): http://people.freebsd.org/~bz/20110401-02-ipcomp-head-8.diff STABLE/7: http://people.freebsd.org/~bz/20110401-03-ipcomp-7.diff STABLE/6 (KAME + FAST, where the FAST is the same as STABLE/7): http://people.freebsd.org/~bz/20110401-01-ipcomp-6.x.diff More details may follow. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 15:45:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EDBB106566C for ; Fri, 1 Apr 2011 15:45:23 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by mx1.freebsd.org (Postfix) with SMTP id 07A368FC17 for ; Fri, 1 Apr 2011 15:45:22 +0000 (UTC) Received: (qmail 15455 invoked by uid 0); 1 Apr 2011 15:45:22 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by cpoproxy1.bluehost.com with SMTP; 1 Apr 2011 15:45:22 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=VwVRJ1IG5YsUNhCIIO1QHbK+xbpPJx18sfVqUC1lP9S1mWhoXFNDLBqNH0+UbPwA0zy37ayiaXqU2Tp7XBLbgsTMK0MEu6HZVwwdm2OHYBkcHTdioKyd1UlXYdTcbnEn; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Q5gXI-0007Dc-QU for freebsd-security@freebsd.org; Fri, 01 Apr 2011 09:45:21 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 01 Apr 2011 09:33:01 -0600 Date: Fri, 1 Apr 2011 09:33:01 -0600 From: Chad Perrin To: freebsd-security Message-ID: <20110401153300.GA85392@guilt.hydra> Mail-Followup-To: freebsd-security References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 15:45:23 -0000 --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 03:33:15PM +0100, Istv=E1n wrote: >=20 > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, > it is like shipping a car without wheels, I suppose. Err . . . now. SSL isn't broken, any more than vi is broken just because it doesn't ship with text files for you to edit. It would be more like shipping a car without giving you a list of roads on which the manufacturer suggests you use it. >=20 > Is there a reason to do this? I don't know. Maybe the guys who made that decision thought that users should be able to make their own decisions about who to trust, rather than relying on Verisign to make that decision for them. I'm just speculating wildly -- I actually have no idea. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2V8CwACgkQ9mn/Pj01uKW7qgCdEfAXQPBGGqw0hZ7qYW7B4ZXV JL0An2qRBQ52LqT2WWbo56RNjXWBBOcy =3hU6 -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 16:56:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7CE6106566B for ; Fri, 1 Apr 2011 16:56:43 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 809E38FC08 for ; Fri, 1 Apr 2011 16:56:43 +0000 (UTC) Received: by gwb15 with SMTP id 15so1726279gwb.13 for ; Fri, 01 Apr 2011 09:56:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JPa3LhZcBAeueI35Et37aooAphApjmBk8FpO3K2r+lc=; b=dfr7qtvMhtTHu5IJ3iiT3YVO4Gbl2cOGLTBTfrBJrxGK7aksFvWymGWeCZw7yLEurM h5Nlq4Oz03HUFGgJIaLrBBV1I+pg0owGH2JBJDRV0jnW26/3SPxV+rrfA1xuiqNrNj89 GgWH2bMf47wLCDTccP23JZTfVkNhOYxOf48eE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=tXoEVz66z/7E7y7vF6emmQI67Gwne44DcQCvP0hUjA8nZmEV8BIs0CoacOJZeLVLN/ tbut61cM744gcB+kMw+ACk9eDIFMh4DTeHqdJ3O5miKF6Sx4PLAB+hXqEOHMrureS812 cXp3kp6BFwnKU1WUJZ4CulEROuQ+cOFjSr0Vs= MIME-Version: 1.0 Received: by 10.101.186.33 with SMTP id n33mr3175424anp.12.1301675610190; Fri, 01 Apr 2011 09:33:30 -0700 (PDT) Received: by 10.100.105.6 with HTTP; Fri, 1 Apr 2011 09:33:30 -0700 (PDT) In-Reply-To: References: Date: Fri, 1 Apr 2011 12:33:30 -0400 Message-ID: From: Robert Simmons To: freebsd-security Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: =?ISO-8859-1?B?SXN0duFu?= Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 16:56:44 -0000 On Fri, Apr 1, 2011 at 10:33 AM, Istv=E1n wrote: > Could somebody explain to me how is it possible to ship an operating syst= em > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss OpenSSL works just fine for me. I am using it on an internal network with a CA that I created myself. That is the only CA that I want to trust, since all the servers that I'm using are signed by it and only it. I've manually added it to the CA lists here. That way, I can add a new server create a cert for it, sign it, and profit immediately. There are no CAs by default in FreeBSD because that's the way it should be. I would have had to remove all of them. As the FAQ for OpenSSL states: "The OpenSSL software is shipped without any root CA certificate as the OpenSSL project does not have any policy on including or excluding any specific CA and does not intend to set up such a policy. Deciding about which CAs to support is up to application developers or administrators." (http://www.openssl.org/support/faq.html#USER16) Now, you are also not satisfied with the CA bundle in the ports collection because it does not contain the CA that you need. I'm not sure which one it is that you need. But a good place to start is here: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html That contains a perl script for extracting the CA bundle from Mozilla's CVS. At first glance, it may frustrate you, because it may not be obvoius where it connects to (that info is obscured). However, look at the following help file. It has all the connection details for mozilla's cvsroot that you will need. Just substitute the "anonymous@cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the script. https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS If you are not satisfied with Mozilla's bundle, you can find google Chrome's list here somewhere: http://src.chromium.org/viewvc/chrome/ All of this may or may not solve your problem. You may need to build your own bundle and include the CAs that you want to trust. Also, one last thing: You can catch more flies with honey than with vinegar= . From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 17:31:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64E6F1065670 for ; Fri, 1 Apr 2011 17:31:29 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id EA23C8FC13 for ; Fri, 1 Apr 2011 17:31:28 +0000 (UTC) Received: by wyf23 with SMTP id 23so3746892wyf.13 for ; Fri, 01 Apr 2011 10:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:date:from:to:subject:message-id:in-reply-to :references:x-mailer:mime-version:content-type :content-transfer-encoding; bh=WASt0TduXmPD5Iz/2+ee42ZNW3NZ3L2xt33oFGC/WZU=; b=fHtsimK/GDzjK5Qx40H6uPaUQ5jX9VEv6NMki4fbftOUujXUXr2JH4PuTW3QvQOffA y36nj1QZf9aB9KBVVSMbeZhVYzOGzp9/C4tOfHC1+Pp/noh4uTCT/iNjhE42j6ofqbcL QU3qlaNFkOqnBzZaA4BBiHuAp/Qg2vle6Q7Qg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=A6+SG84nNqlDJAprhYllPCS4l29S0QnkaBCKMPuUpdhntcUKq80NQqCVTiCCCIU5dx Pmh0CAx93SAkciViXEjRhNlPHSmErUANDlRhDuxeNZb5fmoW0QMPBAlUrXLFjj6hT/+/ B9ysqKINQpVQpgvY9Dv+1/awxK5c0l5JXap9Y= Received: by 10.216.120.193 with SMTP id p43mr2577410weh.92.1301679087610; Fri, 01 Apr 2011 10:31:27 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk [87.194.105.247]) by mx.google.com with ESMTPS id t11sm1103259wes.41.2011.04.01.10.31.25 (version=SSLv3 cipher=OTHER); Fri, 01 Apr 2011 10:31:26 -0700 (PDT) Date: Fri, 1 Apr 2011 18:31:22 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20110401183122.5d423f94@gumby.homeunix.com> In-Reply-To: References: X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 17:31:29 -0000 On Fri, 1 Apr 2011 11:14:06 -0400 matt donovan top posted: > Sounds like your openssl is broken it works just fine for me gets > gmail certificate It doesn't for me. Claws-mail depends on security/ca_root_nss, but only the other day I had to manually accept a certificate for smtp.gmail.com. From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 18:45:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06F67106566B for ; Fri, 1 Apr 2011 18:45:13 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 878548FC17 for ; Fri, 1 Apr 2011 18:45:12 +0000 (UTC) Received: by bwz12 with SMTP id 12so3341814bwz.13 for ; Fri, 01 Apr 2011 11:45:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=SW1gXQ1jZM0J0dJy3EAxTUY8ooNm1J9x43ah6somBP8=; b=wbdICiJ5FlmXN5XT4HWBnQvCP1qT6Bzo6tanpMuAO9gdILI2XyH3JKXzmFdQv8D3yM e9bhhnBf9390KEP+djGv/3ghadnDa+YoTJJEKfXtQZbOTn7CtIRp7U+sBa2j8JmXEFVE FMS0ovhJN45jfkdq1GCsTYYrlHdsStXkNDnsA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kyzxLbHFfaiNH/BFLmeYFt1pMV2k9oXql2eYNYue7MJjC1zTgyvLAn0RuSumgiVf2B 4VtJXU7bVRzlFSQjV4CDWG04QAt/XH+w8vWMRYgCrGdcfBi6IvxSqkiPxMMWLmiMSZSs ieDaCmxN86Lehsgj+Z5w+M7guiDZW2kx+eFS4= MIME-Version: 1.0 Received: by 10.204.151.207 with SMTP id d15mr642812bkw.123.1301683511383; Fri, 01 Apr 2011 11:45:11 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 11:45:11 -0700 (PDT) In-Reply-To: <4D95ECAA.20406@obluda.cz> References: <4D95ECAA.20406@obluda.cz> Date: Fri, 1 Apr 2011 19:45:11 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Dan Lukes Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 18:45:13 -0000 > > > Only you personally can decide what CA is "trustful CA" for you. > > cool, i decided I need everything what I have on windows or on J random operating system with firefox. I install the corresponding package which is broken and therefore, so I can't verify if somebody i doing a MITM while I am shopping on Amazon. Massive win! I understand you do not care about usability. It is viable attitude in many opensource communities including FreeBSD. Thank you anyway. I am going to copy that file from Linux ;) Thank you! From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 18:47:25 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EAE41065670 for ; Fri, 1 Apr 2011 18:47:25 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id AD55D8FC1C for ; Fri, 1 Apr 2011 18:47:24 +0000 (UTC) Received: by bwz12 with SMTP id 12so3343382bwz.13 for ; Fri, 01 Apr 2011 11:47:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PlvbqSqd66NcjfFvyK3bsmQM6dUBttHsA9HEXZ9s+ZA=; b=LOQ8zeSi8461wsECmwDxg2f6FefdCMZjg6ONOr+LKKTdFSj5LTNaFNDUk3kf2S+aTD tefCkTwKNH4hMijuV5LUtjXgH0WgmiLWteCBagGy8k1UVP1Z3NAh9SZP3X9LhqHl6+lP H6skSjLRhgAOK3+QQF54IeZG+0CJsWp8681hU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rS6u3G2TY3Ak63tQh2sNWnQ/LRBaz3wLS55uzIlQDbYwhV0cAzApKFi7orZjKXQ+ai UCJ04LgMW4DqEjPjsAkxlJo4Z83EJO3zR6MNun1Cfi8H7kRtJrWYYGeeeeJWTNL6cuVy mgCUHTz3zdLw+hSymiv7VDg45CjSU8tILDQ70= MIME-Version: 1.0 Received: by 10.204.74.93 with SMTP id t29mr3986037bkj.150.1301683643636; Fri, 01 Apr 2011 11:47:23 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 11:47:23 -0700 (PDT) In-Reply-To: <20110401153300.GA85392@guilt.hydra> References: <20110401153300.GA85392@guilt.hydra> Date: Fri, 1 Apr 2011 19:47:23 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: freebsd-security Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Chad Perrin Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 18:47:25 -0000 Yep, SSL is broken. This why the top500 companies are using it to secure their business. I hope you have something better what we could implement tomorrow deprecating SSL. Send the RFC please. :) Thank you in advance. I. On Fri, Apr 1, 2011 at 4:33 PM, Chad Perrin wrote: > On Fri, Apr 01, 2011 at 03:33:15PM +0100, Istv=C3=A1n wrote: > > > > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, > > it is like shipping a car without wheels, I suppose. > > Err . . . now. SSL isn't broken, any more than vi is broken just because > it doesn't ship with text files for you to edit. It would be more like > shipping a car without giving you a list of roads on which the > manufacturer suggests you use it. > > > > > > Is there a reason to do this? > > I don't know. Maybe the guys who made that decision thought that users > should be able to make their own decisions about who to trust, rather > than relying on Verisign to make that decision for them. I'm just > speculating wildly -- I actually have no idea. > > -- > Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] > --=20 the sun shines for all http://wperf.com/ From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 19:22:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 517881065674 for ; Fri, 1 Apr 2011 19:22:05 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from outbound-mail-01.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by mx1.freebsd.org (Postfix) with SMTP id 164078FC0A for ; Fri, 1 Apr 2011 19:22:04 +0000 (UTC) Received: (qmail 28337 invoked by uid 0); 1 Apr 2011 19:22:04 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by cpoproxy1.bluehost.com with SMTP; 1 Apr 2011 19:22:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=gLq6jAu821CuoR7sd5gWFvIPNK718M0W0UdUaxmFbl4H3iwA1InJMsJ2HFG24PSOw8MmTBCj1TqIF/65zTLJ1C0Lktjs20yfJyeJo95hAFvp1yb9aMhKHelkK5YstZDQ; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Q5jv1-0006CJ-24 for freebsd-security@freebsd.org; Fri, 01 Apr 2011 13:22:04 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 01 Apr 2011 13:09:42 -0600 Date: Fri, 1 Apr 2011 13:09:42 -0600 From: Chad Perrin To: freebsd-security Message-ID: <20110401190942.GA86039@guilt.hydra> Mail-Followup-To: freebsd-security References: <4D95ECAA.20406@obluda.cz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 19:22:05 -0000 --17pEHd4RhPHOinZp Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 07:45:11PM +0100, Istv=E1n wrote: > > cool, i decided I need everything what I have on windows or on J random > operating system with firefox. I install the corresponding package > which is broken and therefore, so I can't verify if somebody i doing a > MITM while I am shopping on Amazon. Massive win! You do not seem entirely clear on how the TLS/SSL trust model actually works. Having a list of trusted CAs does not guarantee that nobody is executing a man in the middle attack. All it does is let the CA tell you whether or not it wants you to believe there is a man in the middle attack going on. The accuracy of such a belief depends entirely on the motives of the CA in question. In point of fact, the SSL/TLS PKI (the infrastructure for out-of-band authentication of certificates via CAs) is basically just a vacant lot scam, where someone assumes the color of authority by simple act of declaration in order to charge people for something it is not actually in the scammer's power to provide or deny -- in this case, verifiable proof of authenticity. A discussion of the problem in broad terms is here: The TLS/SSL Certifying Authority system is a scam http://blogs.techrepublic.com.com/security/?p=3D2550 A much more verifiable system would be something based on distributed agreement, such as the Monkeysphere or Perspectives projects provide for certificate verification. A simplified discussion of the comparative characteristics of Perspectives and the CA-based PKI is here: Perspectives: better than CAs? http://blogs.techrepublic.com.com/security/?p=3D571 >=20 > I understand you do not care about usability. It is viable attitude in > many opensource communities including FreeBSD. Part of usability is ensuring that what you think you are accomplishing actually bears some resemblance to what you are accomplishing. If you think that just trusting whoever some compiled list of CAs tells you to trust to have your best interests at heart is accomplishing something approaching a guarantee of security, the *actual* usability of the system is near nil -- though the *apparent* usability of it might be very high in the estimation of those who have not taken the time to consider the implications of taking such an approach to cryptographic trust. >=20 > Thank you anyway. I am going to copy that file from Linux ;) That may give you a heightened *feeling* of security, but is not likely to greatly increase your *actual* security. In fact, it may reduce it, depending on the types of sites you visit and what data you send to them. By default, software like Firefox will at least warn you when you are connecting to a site using an encryption certificate you have not already told it to trust one way or another. If you just uncritically add all the CAs in the world to a trusted list, all you are doing is turning off those warnings. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2WIvYACgkQ9mn/Pj01uKU6SACg4PKkTwF07eIAEmxUrA5BeTiL 9VUAn0Q+rg5Xt/mnC/gb0AflshZnioBK =AQLX -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 19:23:22 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AA5A106564A for ; Fri, 1 Apr 2011 19:23:22 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from oproxy3-pub.bluehost.com (oproxy3-pub.bluehost.com [69.89.21.8]) by mx1.freebsd.org (Postfix) with SMTP id 60EFF8FC13 for ; Fri, 1 Apr 2011 19:23:22 +0000 (UTC) Received: (qmail 10451 invoked by uid 0); 1 Apr 2011 19:23:18 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by oproxy3.bluehost.com with SMTP; 1 Apr 2011 19:23:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=mrVmjsKZaru5+xKsP6pnFNm2QTEG0t2hTxRN+iRV9bYSyD+M14prTGSG96XxsiIv6fzAioHZBVvPhzVAzbnLSh2CyTkC5yZQCwGzbM/d9kG2RQFh1YYK18C+LBhmnK8E; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Q5jwD-0007oI-93 for freebsd-security@freebsd.org; Fri, 01 Apr 2011 13:23:18 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 01 Apr 2011 13:10:57 -0600 Date: Fri, 1 Apr 2011 13:10:57 -0600 From: Chad Perrin To: freebsd-security Message-ID: <20110401191057.GB86039@guilt.hydra> Mail-Followup-To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 19:23:22 -0000 --K8nIJk4ghYZn606h Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 07:47:23PM +0100, Istv=E1n wrote: > Yep, SSL is broken. > This why the top500 companies are using it to secure their business. I > hope you have something better what we could implement tomorrow > deprecating SSL. >=20 > Send the RFC please. :) >=20 > Thank you in advance. You clearly did not actually read what I said. You read *into* it, creating the impression of some straw man argument in your own head, and responded to that. This is not a productive way to discuss matters of security. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --K8nIJk4ghYZn606h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2WI0EACgkQ9mn/Pj01uKW+FACfbS2PNydBwhZSL+gpyRsD2xNC CyEAmgNT0VBrOV73ldhQ87QuOHKBtHxQ =lIM2 -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 20:46:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 9E3401065672 for ; Fri, 1 Apr 2011 20:46:40 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 198901506AA; Fri, 1 Apr 2011 20:46:40 +0000 (UTC) Message-ID: <4D9639B0.1070302@FreeBSD.org> Date: Fri, 01 Apr 2011 13:46:40 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Istv=E1n?= References: <20110401153300.GA85392@guilt.hydra> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security , Chad Perrin Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 20:46:40 -0000 István wrote: > cool, i decided I need everything what I have on windows or on J random > operating system with firefox. I install the corresponding package which is > broken and therefore, so I can't verify if somebody i doing a MITM while I > am shopping on Amazon. Massive win! If your concern is the CA list in firefox, no additional work is required beyond installing firefox. If you are ultra-concerned about security you can examine the source, and compile it locally. If the FreeBSD package is not functional, you should of course report that, and we will address that issue. OTOH, it's not 100% clear to me what your actual goals are, or what problems you're having. If you would like to write up something along the lines of, "Here is what I'm trying to accomplish, and here are the problems I'm experiencing along the way" I'm sure that we can work on that. > I understand you do not care about usability. Nothing could be further from the truth. I think Chad addressed that topic well. I would simply like to add that it's pretty common for us to see people report things along the lines of, "When I try to do XYZ thing that I did on Linux it doesn't work on FreeBSD." What is generally the case in these situations is that there are alternate ways to accomplish the same goal on FreeBSD, and some polite discussion about that can usually resolve the issue. > Thank you anyway. I am going to copy that file from Linux ;) If Linux works for you, you should seriously consider sticking with it. There are lots of operating systems out there, not all of them are suitable for all users. > Yep, SSL is broken. > This why the top500 companies are using it to secure their business. Before you rely too heavily on this particular line of argument you might want to consider that up until recently there have not been viable alternatives. > I hope you have something better what we could implement tomorrow deprecating SSL. http://datatracker.ietf.org/wg/dane/charter/ http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html Enjoy, Doug PS, while asking strangers to volunteer their time to assist you, it's usually a good idea to refrain from rudeness and sarcasm. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 20:52:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB037106566C for ; Fri, 1 Apr 2011 20:52:39 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 590248FC08 for ; Fri, 1 Apr 2011 20:52:38 +0000 (UTC) Received: by bwz12 with SMTP id 12so3434966bwz.13 for ; Fri, 01 Apr 2011 13:52:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=3laTRDOvW7fNEdxD1YwW9tZZ7EUxj3CnGIOMNe50/9Q=; b=E9AWAshU9cx4X1qVRkQq2OgKztjJBklk/pBLV9TxTHrJuCvbdxPCmWNPdadDY9dAUS SFQBmrFMWBGkz2NJI/1+q8YJumG7c6A47G2d+34k7tb87sYXlt3apj8aNyXSvf9wCCkq BpgBuLqaz5E3pNn8pwsx4cNcpw+vOhDaVMB7k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jri9UEhUenMsFQHnapJ1A+Skpsz9xTDNuuElXDzdJLRdv+KpHffag2HzTt6X4mE/DD OMCUVrNtMnUof/SpiXA3B9ZJcZut2GDSEPYKfSDBL3ewDCUu5J3j4ImUOJtHTJjGW9KM 9oTRuGnbIjlfiWG/oruV5Pa1XRvCN8dHDjctk= MIME-Version: 1.0 Received: by 10.204.127.68 with SMTP id f4mr4062262bks.42.1301691157318; Fri, 01 Apr 2011 13:52:37 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 13:52:37 -0700 (PDT) In-Reply-To: <4D9639B0.1070302@FreeBSD.org> References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> Date: Fri, 1 Apr 2011 21:52:37 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Doug Barton Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , Chad Perrin Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 20:52:40 -0000 > > > Nothing could be further from the truth. I think Chad addressed that topic > well. I would simply like to add that it's pretty common for us to see > people report things along the lines of, "When I try to do XYZ thing that I > did on Linux it doesn't work on FreeBSD." What is generally the case in > these situations is that there are alternate ways to accomplish the same > goal on FreeBSD, and some polite discussion about that can usually resolve > the issue. > > well i would argue with that, on Linux it was possible to validate the certs what X company is using, on FreeBSD it was not. You can twist this as much as you want, I still can't see how this improves anything. Well I am not really interested in new projects replacing SSL since the webshop I am using running SSL :( But thanks anyway. I. From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 20:57:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 847A0106566C for ; Fri, 1 Apr 2011 20:57:15 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 9DA1214D944; Fri, 1 Apr 2011 20:57:06 +0000 (UTC) Message-ID: <4D963C23.4080100@FreeBSD.org> Date: Fri, 01 Apr 2011 13:57:07 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Istv=E1n?= References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 20:57:15 -0000 On 4/1/2011 1:52 PM, István wrote: > well i would argue with that, on Linux it was possible to validate the certs > what X company is using, on FreeBSD it was not. Perhaps if you can describe the process that you go through on Linux to do this, we can help you accomplish the same goal using FreeBSD. What I'm getting at is that if we can focus on, "Here is the end goal that I would like to achieve" we may be able to help each other out. :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 21:01:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69916106564A for ; Fri, 1 Apr 2011 21:01:10 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BF0368FC1D for ; Fri, 1 Apr 2011 21:01:09 +0000 (UTC) Received: by bwz12 with SMTP id 12so3440809bwz.13 for ; Fri, 01 Apr 2011 14:01:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=7aFJ+NvMs2UUYHfHgfoJ24ly/s89mQoaKxiIjAF8DN0=; b=AKQIqp9OooEzqhxZ6ID9pMmUv+r81IJnh+doOXI2MfKOc5Ouizu4K2IFPP7qu8iCNH l//EPsK1Lf/+Np6K6T2mDS60afAxoH6ILVsi2tXJI1cts9wuuPQvMWtmvjOAhMREH2Zi xdm30mBbFBHt7P3rBsf0as0fN/XZx2y2T/ynY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ZpcYU/JBnQqZWZYscyD4lq5wv0XnFqJJvQrwiqRZogPhv/63yUDufsXHESAoXQAVAH 93ggViw5tJZrF2QJUZwMAvnOMVywqb0qx1eXXai5xUl2K/I9zb9dRV94vRnOObR8WAPw u6xubojZfxyY6ZBFbP8Rxe0WLLEYmbOwVfTSE= MIME-Version: 1.0 Received: by 10.204.74.93 with SMTP id t29mr4071078bkj.150.1301691668683; Fri, 01 Apr 2011 14:01:08 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 14:01:08 -0700 (PDT) In-Reply-To: <4D963C23.4080100@FreeBSD.org> References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> Date: Fri, 1 Apr 2011 22:01:08 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Doug Barton Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 21:01:10 -0000 Executing the same command: openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p |openssl x509 -noout -subject -dates The end goal is to get this working. I am going to fix it whenever I have few hours time to waste :) On Fri, Apr 1, 2011 at 9:57 PM, Doug Barton wrote: > On 4/1/2011 1:52 PM, Istv=C3=A1n wrote: > >> well i would argue with that, on Linux it was possible to validate the >> certs >> what X company is using, on FreeBSD it was not. >> > > Perhaps if you can describe the process that you go through on Linux to d= o > this, we can help you accomplish the same goal using FreeBSD. What I'm > getting at is that if we can focus on, "Here is the end goal that I would > like to achieve" we may be able to help each other out. :) > > > Doug > > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > --=20 the sun shines for all http://wperf.com/ From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 21:24:36 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A38FD106564A for ; Fri, 1 Apr 2011 21:24:36 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2D3168FC22 for ; Fri, 1 Apr 2011 21:24:35 +0000 (UTC) Received: by bwz12 with SMTP id 12so3455440bwz.13 for ; Fri, 01 Apr 2011 14:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=22tZfWbHUbDXci13b5BrsIFaYmULjlDV0p9n38MPRck=; b=Rci2DLi5r03C4l+wvV4qB4I1JgZIUASG7anomA17adUgANMKQjHbb0YjXqKZexxFLh TEU7m4kkolzzb3vnKSzSd1V+hIf+U03giLl56dFb/3P/QlnBbf+hp0ylyljVkXBk320U OzAPgMlvoKtDJHYCpQC/E0Mm5OPWNc0vzNLJ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GmNJ4Gea/UC3TLAKfnG/NgZXxQQ99zY3NqhLstX2eR3jzI7vD6lE0S3lczjcjmJHDe yE/lkXpLGkheA1jGwDeb1CVaDVldx0ZbWQ+CHj2cEoDEVXywaH+YaWuJm4yu4zzLsRE4 HBTJt3s7Qh/X2jcYAAhyadhX21OxFkLb+PlHc= MIME-Version: 1.0 Received: by 10.204.74.93 with SMTP id t29mr4084192bkj.150.1301693075262; Fri, 01 Apr 2011 14:24:35 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 14:24:35 -0700 (PDT) In-Reply-To: <63CF07FC-BD9A-47C2-9535-09D9ED8E982D@smtps.net> References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <63CF07FC-BD9A-47C2-9535-09D9ED8E982D@smtps.net> Date: Fri, 1 Apr 2011 22:24:35 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Brian Keefer Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 21:24:36 -0000 > You're probably not aware (owing to your arrogance) that at least some of > the CAs which ship as part of the Mozilla bundle have been known to issue > fraudulent certificates in the past, even the past few weeks. > once there was a remote root in freebsd kernel, so I have just stopped using it (sometimes I wish I did....) From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 21:38:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0E01106564A for ; Fri, 1 Apr 2011 21:38:52 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2DA788FC0C for ; Fri, 1 Apr 2011 21:38:51 +0000 (UTC) Received: by bwz12 with SMTP id 12so3463834bwz.13 for ; Fri, 01 Apr 2011 14:38:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/eo1//IDc/g8SMZ6SNwDtDjOcMo2q87T96hll99n6zE=; b=v8pzeCDjH9eU3DOVr1rbClEAXHR3Wr+vemC+xmXOlKnhwI3Eu4ukLI7/cnpDgbB/xd 4C1hLhHF8famna5nXlNZaX0JnL0lsHlHKamOmUxmpUoY7DUmEjg3Toj4iTI+lNinIacC GdlnI87uJDIimSkRes2x3ziBbvJE9yO0ZAwJU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=VCTYYARdiPhN4M/H76ICqNsrwZMQm0k6h5PqPYp2fsAxZaqi2+OWxCoWa1pVhw7NUM VksMC11eYAUItVSzlXR8XSsnSmY1tPpAK42gbg/SwT0igHRqzbbNcBYiORRh4L6i6Q9E 8shZZ6YRQL2kQVqhWBpBpY7BNr1aV7ubt7qtY= MIME-Version: 1.0 Received: by 10.204.74.93 with SMTP id t29mr4091773bkj.150.1301693930792; Fri, 01 Apr 2011 14:38:50 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 14:38:50 -0700 (PDT) In-Reply-To: References: <20110401153300.GA85392@guilt.hydra> Date: Fri, 1 Apr 2011 22:38:50 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Jay Sullivan Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , Chad Perrin Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 21:38:52 -0000 this is a nice project. in couple of years it might be used widely. until then we have to use SSL :( > It's called CurveCP: http://curvecp.org/ > > -- > Jay Sullivan > From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 21:41:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AE791065670; Fri, 1 Apr 2011 21:41:52 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id C93798FC0C; Fri, 1 Apr 2011 21:41:51 +0000 (UTC) Received: by bwz12 with SMTP id 12so3465473bwz.13 for ; Fri, 01 Apr 2011 14:41:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=MgV53emtu1Q6da0WsC/LRb942QZIWKLBEYCceYwTgJs=; b=YiFMNCibWfdYYBwDcqQQlh1fQsHx7RhHccMCZC1+Y43Yz+WO9m2sSOpZ3dgSaVqN6i 57pvzk62ZLuaf0bOBeMJ5UcAREuVrpyMhwmlEZnwlRVamLXqNoFsngQzEUTRQ46ypGpP OqWyWgYEXGNW6r1KiU5zabVwQIhFWemu+5xqw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PnuLz3npl+5R4uUOW6Bp/S22RwCxrXyiENhMw6Z5BSzIa/7hDyNfPdIyEjJMAmuK+C qsyiIWNpBPZGYTCl74jhiJNCclREVwHsfYkxsWJgBe5k+7QFVVAUOSgKPMJNniEseRAB tJq73cVwqJWBxlpveTUSCQsXQ3L/X6j6VTnUU= MIME-Version: 1.0 Received: by 10.204.127.68 with SMTP id f4mr4089938bks.42.1301694110910; Fri, 01 Apr 2011 14:41:50 -0700 (PDT) Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 14:41:50 -0700 (PDT) In-Reply-To: <20110401212648.GK86409@numachi.com> References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> <20110401212648.GK86409@numachi.com> Date: Fri, 1 Apr 2011 22:41:50 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Brian Reichert Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , Doug Barton Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 21:41:52 -0000 work: without the following error => "verify error:num=20:unable to get local issuer certificate" openssl s_client -connect 72.21.203.148:443 < /dev/null On Fri, Apr 1, 2011 at 10:26 PM, Brian Reichert wrote: > On Fri, Apr 01, 2011 at 10:01:08PM +0100, Istv??n wrote: > > Executing the same command: > > > > openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne > /-BEGIN > > CERTIFICATE-/,/-END CERTIFICATE-/p |openssl x509 -noout -subject -dates > > Define 'work'. > > % uname -v > FreeBSD 4.9-RELEASE #0: Sun Dec 28 18:49:39 GMT 2003 root@ > :/usr/src/sys/compile/SERVER > > openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne > '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout > -subject -dates > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server > CA - G2 > verify error:num=20:unable to get local issuer certificate > verify return:0 > DONE > subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com > Inc./CN=s3.amazonaws.com > notBefore=Oct 8 00:00:00 2010 GMT > notAfter=Oct 7 23:59:59 2013 GMT > % echo $? > 0 > > Looks like openssl is 'working'; no segfaults, no erroneous results, exit > status of zero... > > > The end goal is to get this working. I am going to fix it whenever I have > > few hours time to waste :) > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to " > freebsd-security-unsubscribe@freebsd.org" > > -- > Brian Reichert > BSD admin/developer at large > -- the sun shines for all http://wperf.com/ From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 21:53:31 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 009421065672 for ; Fri, 1 Apr 2011 21:53:31 +0000 (UTC) (envelope-from reichert@numachi.com) Received: from meisai.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.freebsd.org (Postfix) with SMTP id 382B08FC13 for ; Fri, 1 Apr 2011 21:53:29 +0000 (UTC) Received: (qmail 45533 invoked by uid 1001); 1 Apr 2011 21:26:48 -0000 Date: Fri, 1 Apr 2011 17:26:48 -0400 From: Brian Reichert To: Istv??n Message-ID: <20110401212648.GK86409@numachi.com> References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i Cc: freebsd-security , Doug Barton Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 21:53:31 -0000 On Fri, Apr 01, 2011 at 10:01:08PM +0100, Istv??n wrote: > Executing the same command: > > openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne /-BEGIN > CERTIFICATE-/,/-END CERTIFICATE-/p |openssl x509 -noout -subject -dates Define 'work'. % uname -v FreeBSD 4.9-RELEASE #0: Sun Dec 28 18:49:39 GMT 2003 root@:/usr/src/sys/compile/SERVER openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -dates depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 DONE subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com notBefore=Oct 8 00:00:00 2010 GMT notAfter=Oct 7 23:59:59 2013 GMT % echo $? 0 Looks like openssl is 'working'; no segfaults, no erroneous results, exit status of zero... > The end goal is to get this working. I am going to fix it whenever I have > few hours time to waste :) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Brian Reichert BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 22:04:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23E0A106564A for ; Fri, 1 Apr 2011 22:04:30 +0000 (UTC) (envelope-from notfed@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id AC4688FC1C for ; Fri, 1 Apr 2011 22:04:29 +0000 (UTC) Received: by wwc33 with SMTP id 33so4443690wwc.31 for ; Fri, 01 Apr 2011 15:04:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JClYP/6pPR8TPobljt3SunBOGF2Os+jZlAX7T+9YcOA=; b=XqTeiJbUQJAGcTRmfsk0GHx1CUbDp84eHKd2dPK3M2ckoH131thv52FFJQjiddAYIZ BJiTyFc7ELS3XY5mCRXjt9wvxhu1nLXLOSyaBWfnLkER/xRS7l1ohxo6rtY39S0O6lEy 8xwDedUv0Mm/MgQYAadVwHBoShHkgburxgyqk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=DzQkvwB5jWQotj7u0OHihHjtgZkS+IM8md6YeNmS1JNW3DTZ5lLiMQy+tPGho0dxyq Ca7Z/ZB6gIrs+s85gDa79M9pVM3usL/IxAxW2o5LNU94elt01nk38Zkx/z1y0QGYqzNV QedLxBRiFa3aWvhk8GteH0y1mAm8c1YCvO+Rw= MIME-Version: 1.0 Received: by 10.216.6.27 with SMTP id 27mr4220368wem.69.1301693619909; Fri, 01 Apr 2011 14:33:39 -0700 (PDT) Received: by 10.216.177.5 with HTTP; Fri, 1 Apr 2011 14:33:39 -0700 (PDT) In-Reply-To: References: <20110401153300.GA85392@guilt.hydra> Date: Fri, 1 Apr 2011 17:33:39 -0400 Message-ID: From: Jay Sullivan To: =?UTF-8?Q?Istv=C3=A1n?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , Chad Perrin Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 22:04:30 -0000 On Fri, Apr 1, 2011 at 2:47 PM, Istv=C3=A1n wrote: > Yep, SSL is broken. > This why the top500 companies are using it to secure their business. I ho= pe > you have something better what we could implement tomorrow deprecating SS= L. > > Send the RFC please. :) > > Thank you in advance. > It's called CurveCP: http://curvecp.org/ --=20 Jay Sullivan From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 22:50:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B85D4106566B for ; Fri, 1 Apr 2011 22:50:37 +0000 (UTC) (envelope-from reichert@numachi.com) Received: from meisai.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.freebsd.org (Postfix) with SMTP id 0A68E8FC08 for ; Fri, 1 Apr 2011 22:50:36 +0000 (UTC) Received: (qmail 52083 invoked by uid 1001); 1 Apr 2011 22:50:33 -0000 Date: Fri, 1 Apr 2011 18:50:33 -0400 From: Brian Reichert To: Roberto Nunnari Message-ID: <20110401225033.GL86409@numachi.com> References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> <20110401212648.GK86409@numachi.com> <4D9654BC.6040808@supsi.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D9654BC.6040808@supsi.ch> User-Agent: Mutt/1.5.9i Cc: Istv??n , Doug Barton , freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 22:50:37 -0000 On Sat, Apr 02, 2011 at 12:42:04AM +0200, Roberto Nunnari wrote: > Istv??n wrote: > >work: > > > > without the following error => "verify error:num=20:unable to get local > >issuer certificate" > > Hi. > It works for me if you correct the sed command and suppress sdterr.. Well, I cleaned that up, too. That you got this same command to work implies you have a different set of CAs than I. His point (someone please correct me, if neccessary) is that without what he considers a reasonable set of trusted CAs in place, SSL under FreeBSD is 'broken'. I interpret this thread now to be a debate of terms 'reasonable' and 'trusted', and further, who's responsibility is it to populate that list of CAs on his machine. > $ uname -rms > FreeBSD 6.4-RELEASE-p8 i386 > $ openssl s_client -connect 72.21.203.148:443 2>/dev/null < /dev/null | > sed -ne /-BEGIN\ CERTIFICATE-/,/-END\ CERTIFICATE-/p |openssl x509 > -noout -subject -dates > subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com > notBefore=Oct 8 00:00:00 2010 GMT > notAfter=Oct 7 23:59:59 2013 GMT > > So, it seems to be just a RexExp error.. > > Best regards. > Robi -- Brian Reichert BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 23:15:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3D7F1065675 for ; Fri, 1 Apr 2011 23:15:24 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from oproxy2-pub.bluehost.com (oproxy2-pub.bluehost.com [67.222.39.60]) by mx1.freebsd.org (Postfix) with SMTP id 6C51C8FC1F for ; Fri, 1 Apr 2011 23:15:24 +0000 (UTC) Received: (qmail 31040 invoked by uid 0); 1 Apr 2011 23:15:24 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by oproxy2.bluehost.com with SMTP; 1 Apr 2011 23:15:24 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=bWPIhAzb/iFzKi8eYu+RSslSYvWpc0OxaQMjOKZ1+T1GiEMXN9TIjWMiOjdXW3ZG1JsnPYGGYSjM9+/gN70UMaIBFJ+4VC3w6Jg13IYWTX4PEVKPZndWbVgPuPLX+Mpl; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Q5nYo-0001FG-M1 for freebsd-security@freebsd.org; Fri, 01 Apr 2011 17:15:23 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 01 Apr 2011 17:03:02 -0600 Date: Fri, 1 Apr 2011 17:03:02 -0600 From: Chad Perrin To: freebsd-security Message-ID: <20110401230302.GA87063@guilt.hydra> Mail-Followup-To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <63CF07FC-BD9A-47C2-9535-09D9ED8E982D@smtps.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 23:15:24 -0000 --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 10:24:35PM +0100, Istv=E1n wrote: > > You're probably not aware (owing to your arrogance) that at least some = of > > the CAs which ship as part of the Mozilla bundle have been known to iss= ue > > fraudulent certificates in the past, even the past few weeks. > > >=20 > once there was a remote root in freebsd kernel, so I have just stopped us= ing > it >=20 > (sometimes I wish I did....) It is worth noting that there is a difference between, on one hand, using software and discovering a bug exists in it that may not even have possibly affected you -- and, on the other, taking some faceless third party's assurances on issues of cryptographic trust and discovering that refusing to take responsibility for your own decisions about trust has placed your security at the mercy of untrustworthy people. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2WWaYACgkQ9mn/Pj01uKXk1ACeKTzXSK1iPX+DyYKdfdSK/r/7 N3IAoLUgy8otzdSIN5sDQY2Yp3z5bWs9 =HgSa -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 23:18:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2818106566B; Fri, 1 Apr 2011 23:18:07 +0000 (UTC) (envelope-from roberto.nunnari@supsi.ch) Received: from jupiter.nunnisoft.ch (jupiter.nunnisoft.ch [84.55.242.12]) by mx1.freebsd.org (Postfix) with ESMTP id 2DFAC8FC14; Fri, 1 Apr 2011 23:18:06 +0000 (UTC) Received: from [127.0.0.1] (venus.nunnisoft.ch [192.168.1.10]) by jupiter.nunnisoft.ch (8.14.3/8.14.3) with ESMTP id p31Mfwun073536; Sat, 2 Apr 2011 00:41:58 +0200 (CEST) (envelope-from roberto.nunnari@supsi.ch) Message-ID: <4D9654BC.6040808@supsi.ch> Date: Sat, 02 Apr 2011 00:42:04 +0200 From: Roberto Nunnari User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: =?UTF-8?B?SXN0dsOhbg==?= References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> <20110401212648.GK86409@numachi.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 110331-1, 31.03.2011), Outbound message X-Antivirus-Status: Clean X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on jupiter.nunnisoft.ch Cc: freebsd-security , Doug Barton Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 23:18:07 -0000 István wrote: > work: > > without the following error => "verify error:num=20:unable to get local > issuer certificate" Hi. It works for me if you correct the sed command and suppress sdterr.. $ uname -rms FreeBSD 6.4-RELEASE-p8 i386 $ openssl s_client -connect 72.21.203.148:443 2>/dev/null < /dev/null | sed -ne /-BEGIN\ CERTIFICATE-/,/-END\ CERTIFICATE-/p |openssl x509 -noout -subject -dates subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com notBefore=Oct 8 00:00:00 2010 GMT notAfter=Oct 7 23:59:59 2013 GMT So, it seems to be just a RexExp error.. Best regards. Robi > > > > openssl s_client -connect 72.21.203.148:443 < /dev/null > > On Fri, Apr 1, 2011 at 10:26 PM, Brian Reichert wrote: > >> On Fri, Apr 01, 2011 at 10:01:08PM +0100, Istv??n wrote: >>> Executing the same command: >>> >>> openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne >> /-BEGIN >>> CERTIFICATE-/,/-END CERTIFICATE-/p |openssl x509 -noout -subject -dates >> Define 'work'. >> >> % uname -v >> FreeBSD 4.9-RELEASE #0: Sun Dec 28 18:49:39 GMT 2003 root@ >> :/usr/src/sys/compile/SERVER >> >> openssl s_client -connect 72.21.203.148:443 < /dev/null | sed -ne >> '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout >> -subject -dates >> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use >> at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server >> CA - G2 >> verify error:num=20:unable to get local issuer certificate >> verify return:0 >> DONE >> subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com >> Inc./CN=s3.amazonaws.com >> notBefore=Oct 8 00:00:00 2010 GMT >> notAfter=Oct 7 23:59:59 2013 GMT >> % echo $? >> 0 >> >> Looks like openssl is 'working'; no segfaults, no erroneous results, exit >> status of zero... >> >>> The end goal is to get this working. I am going to fix it whenever I have >>> few hours time to waste :) >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to " >> freebsd-security-unsubscribe@freebsd.org" >> >> -- >> Brian Reichert >> BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 23:42:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2191106566C for ; Fri, 1 Apr 2011 23:42:32 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by mx1.freebsd.org (Postfix) with SMTP id 8F4AC8FC0A for ; Fri, 1 Apr 2011 23:42:32 +0000 (UTC) Received: (qmail 2145 invoked by uid 0); 1 Apr 2011 23:42:32 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by cpoproxy3.bluehost.com with SMTP; 1 Apr 2011 23:42:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=jjEDuevTS9iWMYSG8zlLACZyBhH4bZdUn5NoJOLHqyJz3l3p+bWZ65FxYDMs2H1MMUWEmbOUaAddsY2VffAwN8oGYNGxx1jieJCGmkpFTwPeF5ISv078Fo+emwNMpN4J; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Q5nz4-0006EC-Cs for freebsd-security@freebsd.org; Fri, 01 Apr 2011 17:42:31 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 01 Apr 2011 17:30:09 -0600 Date: Fri, 1 Apr 2011 17:30:09 -0600 From: Chad Perrin To: freebsd-security Message-ID: <20110401233009.GA87214@guilt.hydra> Mail-Followup-To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> <20110401212648.GK86409@numachi.com> <4D9654BC.6040808@supsi.ch> <20110401225033.GL86409@numachi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <20110401225033.GL86409@numachi.com> User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 23:42:32 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 06:50:33PM -0400, Brian Reichert wrote: >=20 > That you got this same command to work implies you have a different > set of CAs than I. >=20 > His point (someone please correct me, if neccessary) is that without > what he considers a reasonable set of trusted CAs in place, SSL under > FreeBSD is 'broken'. >=20 > I interpret this thread now to be a debate of terms 'reasonable' > and 'trusted', and further, who's responsibility is it to populate > that list of CAs on his machine. In case anyone cares what I think . . . I don't think that either of the two options currently under discussion (quietly provide a "trusted" CA list or quietly failing to provide one) is optimal. In the best-case scenario, I guess there would be some self-evident system for letting the user choose what to use, if anything, giving a very brief, glancing explanation of the meaning of trust in this circumstance. Failing that -- given the options currently available to us without writing more software to do it differently in a way that's compatible with how we manage our OSes -- I don't much care whether a list of "trusted" CAs is included or not. The important thing here is knowledge, and both approaches under discussion fail to impart any knowledge upon the user, so it's six of one and half a dozen of the other. I'm open to being convinced it really matters, though, if someone has an argument more compelling than Istvan's. (This ignores the notion that there are simply better ways to validate certs than via CA trust, which is a somewhat separate issue.) --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2WYAEACgkQ9mn/Pj01uKU8rACg74wu4fcam+38/YdNnq6nA/AN dA0An1EjiKPmzV6DMZt4RBPYIQ95SJM3 =ncbA -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- From owner-freebsd-security@FreeBSD.ORG Sat Apr 2 03:39:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22957106564A for ; Sat, 2 Apr 2011 03:39:50 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from fw.ax.cz (unknown [IPv6:2a00:1aa8:1:1000::2]) by mx1.freebsd.org (Postfix) with ESMTP id A436A8FC19 for ; Sat, 2 Apr 2011 03:39:49 +0000 (UTC) Received: from [127.0.0.1] (fw.ax.cz [77.240.99.126]) by fw.ax.cz (8.14.4/8.14.3) with ESMTP id p323dksH009618; Sat, 2 Apr 2011 05:39:47 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4D969A1E.80202@obluda.cz> Date: Sat, 02 Apr 2011 05:38:06 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110320 SeaMonkey/2.0.13 MIME-Version: 1.0 To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 110401-2, 01.04.2011), Outbound message X-Antivirus-Status: Clean Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2011 03:39:50 -0000 István wrote: > well i would argue with that, on Linux it was possible to validate the certs > what X company is using, on FreeBSD it was not. Just for completeness: ============================= uname -a Linux u-pl1 2.6.32-vs2.3.0.36.28-gentoo-amd64 #1 SMP PREEMPT Tue Feb 22 12:08:19 CET 2011 i686 Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz GenuineIntel GNU/Linux openssl s_client -connect 72.21.203.148:443 CONNECTED(00000003) ... verify error:num=20:unable to get local issuer certificate verify return:0 ============================== and Windows XP SP3, not surprisingly: ============================== > C:\>openssl s_client -connect 72.21.203.148:443 > Loading 'screen' into random state - done > CONNECTED(00000784) > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at http > s://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 > verify error:num=20:unable to get local issuer certificate ============================== This issue is definitely NOT about "operating system A has different behavior than operating system B". It's all about proper configuration of such system and proper usage of openssl utility. If Istvan will configure it's system the same way as the Linux (where it work) is configured (e.g. if he install apropriate list of trusted CA's and confure openssl to use it), then his problem will evaporate also. But if he is not interested in verification of connection's certificate, then he can ignore the warning at all. Dan From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 22:49:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 771A7106566C for ; Fri, 1 Apr 2011 22:49:34 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id 2EE5D8FC15 for ; Fri, 1 Apr 2011 22:49:33 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.4/8.14.4) with ESMTP id p31FGYlT074056; Fri, 1 Apr 2011 10:16:34 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.4/8.14.4/Submit) id p31FGXdL074055; Fri, 1 Apr 2011 10:16:33 -0500 (CDT) (envelope-from brooks) Date: Fri, 1 Apr 2011 10:16:33 -0500 From: Brooks Davis To: Robert Simmons Message-ID: <20110401151633.GK63248@lor.one-eyed-alien.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QnBU6tTI9sljzm9u" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (lor.one-eyed-alien.net [127.0.0.1]); Fri, 01 Apr 2011 10:16:34 -0500 (CDT) X-Mailman-Approved-At: Sat, 02 Apr 2011 05:49:07 +0000 Cc: freebsd-security , Istv?n Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 22:49:34 -0000 --QnBU6tTI9sljzm9u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 12:33:30PM -0400, Robert Simmons wrote: > Now, you are also not satisfied with the CA bundle in the ports > collection because it does not contain the CA that you need. I'm not > sure which one it is that you need. But a good place to start is > here: > http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html >=20 > That contains a perl script for extracting the CA bundle from > Mozilla's CVS. At first glance, it may frustrate you, because it may > not be obvoius where it connects to (that info is obscured). However, > look at the following help file. It has all the connection details > for mozilla's cvsroot that you will need. Just substitute the > "anonymous@cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the > script. > https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS The point of security/ca_root_nss is that it is exactly the set of certs trusted by Mozilla (via the nss library) via the mechanism described above. The FreeBSD Project makes no warranty that it is a good set to trust. It just happens to be a set that is widely trusted. > If you are not satisfied with Mozilla's bundle, you can find google > Chrome's list here somewhere: > http://src.chromium.org/viewvc/chrome/ We might actually want to maintain a port of those as well if they differ in any meaningful way. -- Brooks --QnBU6tTI9sljzm9u Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFNlexRXY6L6fI4GtQRAhCBAJ4jVef5atjnoa5gHgDGkc58BlbmYgCgzQeO BAPjVronqoFJ0TGLjluq+p4= =LPuT -----END PGP SIGNATURE----- --QnBU6tTI9sljzm9u-- From owner-freebsd-security@FreeBSD.ORG Sat Apr 2 07:37:48 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3CA9106566C for ; Sat, 2 Apr 2011 07:37:48 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id AC2A98FC08 for ; Sat, 2 Apr 2011 07:37:48 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 8F142594009 for ; Sat, 2 Apr 2011 00:37:38 -0700 (PDT) Received: from w500.local (w500.miguel.ramos.name [IPv6:2001:b18:4071:0:216:eaff:fec1:77da]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA for ; Sat, 2 Apr 2011 00:37:38 -0700 (PDT) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p327beGb006298 for ; Sat, 2 Apr 2011 08:37:40 +0100 Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p327baDZ006296 for freebsd-security@freebsd.org; Sat, 2 Apr 2011 08:37:36 +0100 X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: freebsd-security@freebsd.org In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Sat, 02 Apr 2011 08:37:36 +0100 Message-ID: <1301729856.5812.12.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 6bbe.4d96d242.26cc7.0 Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2011 07:37:48 -0000 Sex, 2011-04-01 =C3=A0s 15:33 +0100, Istv=C3=A1n escreveu: > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it = is > like shipping a car without wheels, I suppose. >=20 > Is there a reason to do this? >=20 > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does? Yeah, maybe FreeBSD should ship with the same list of root CAs that Internet Explorer does, so we can say FreeBSD is a compatible operating system. This is business, multi-million dollar business. Microsoft decides who to trust on behalf of the consumer, and companies and governments all over the world pay millions of dollars so their sites are "trusted". The price of certificates from VeriSign is justified because everybody trusts them, even though nobody ever thought about it. That's dirty business. And you think FreeBSD should "sugest" trust on these companies and get nothing in return? Or would they contribute a couple of millions to the FreeBSD Foundation? The only root CAs that could be included by default would be those of governments (but which governments do you trust?) and things like CAcert.org. --=20 Miguel Ramos PGP A006A14C From owner-freebsd-security@FreeBSD.ORG Sat Apr 2 08:45:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06D9D106566C for ; Sat, 2 Apr 2011 08:45:12 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 6822F8FC1D for ; Sat, 2 Apr 2011 08:45:11 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id p328j7As018587 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 2 Apr 2011 09:45:07 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p328j7As018587 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1301733907; bh=zcTEbj0S6nMDePRUirFZhWb+EClyrnEPW5LXXw/92h8=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4D96E20A.8050409@infracaninophile.co.uk>|Date:=20S at,=2002=20Apr=202011=2009:44:58=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20en-US=3B=20r v:1.9.2.15)=20Gecko/20110303=20Thunderbird/3.1.9|MIME-Version:=201 .0|To:=20freebsd-security=20|Subject :=20Re:=20SSL=20is=20broken=20on=20FreeBSD|References:=20<20110401 153300.GA85392@guilt.hydra>=09=09<4D9639B0.1070302@FreeBSD.org>=09=0 9<4D963C23.4080100@FreeBSD.org>=09=09<20110401212648.GK86409@numachi .com>=09=09<4D9654BC.6040808@supsi.ch>=20<20110401225033.GL86409@numac hi.com>=20<20110401233009.GA87214@guilt.hydra>|In-Reply-To:=20<201 10401233009.GA87214@guilt.hydra>|X-Enigmail-Version:=201.1.1|OpenP GP:=20id=3D60AE908C|Content-Type:=20multipart/signed=3B=20micalg=3 Dpgp-sha1=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D= 0A=20boundary=3D"------------enig48C7FAEDD4E1D3A867685A0B"; b=r+M/EnDAaTuW9pCui1u2rq1Y1Hyt9Fxg0EcXLJkyfHIuUqvTI3jWoxhM5qu/7QcN1 wIt3ZNLv74EY+L4aVoRQd3xxUAHO3zrQsGqLReaoBxR42fWfiiUr9b0dMnmKyM4vgQ TpIZXXVakl3lhDiWZbPLQ2T3GhmDDdc2Ian3FxbE= Message-ID: <4D96E20A.8050409@infracaninophile.co.uk> Date: Sat, 02 Apr 2011 09:44:58 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> <20110401212648.GK86409@numachi.com> <4D9654BC.6040808@supsi.ch> <20110401225033.GL86409@numachi.com> <20110401233009.GA87214@guilt.hydra> In-Reply-To: <20110401233009.GA87214@guilt.hydra> X-Enigmail-Version: 1.1.1 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig48C7FAEDD4E1D3A867685A0B" X-Virus-Scanned: clamav-milter 0.97 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2011 08:45:12 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig48C7FAEDD4E1D3A867685A0B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 02/04/2011 00:30, Chad Perrin wrote: > I don't think that either of the two options currently under discussion= > (quietly provide a "trusted" CA list or quietly failing to provide one)= > is optimal. In the best-case scenario, I guess there would be some > self-evident system for letting the user choose what to use, if anythin= g, > giving a very brief, glancing explanation of the meaning of trust in th= is > circumstance. Failing that -- given the options currently available to= > us without writing more software to do it differently in a way that's > compatible with how we manage our OSes -- I don't much care whether a > list of "trusted" CAs is included or not. The important thing here is > knowledge, and both approaches under discussion fail to impart any > knowledge upon the user, so it's six of one and half a dozen of the > other. >=20 > I'm open to being convinced it really matters, though, if someone has a= n > argument more compelling than Istvan's. >=20 > (This ignores the notion that there are simply better ways to validate > certs than via CA trust, which is a somewhat separate issue.) There's a point here that no-one has explored. Yes, FireFox, Chrome, IE all come with a pre-configured list of trusted CAs. That is the list of CAs that those vendors think their users should trust /to validate websites/. This is a solution (maybe not a particularly satisfying one) for the problem of establishing trust between a site and a potentially very large audience of subscribers without having to have some sort of individual verification procedure between each user and the site: something which is clearly impractical. What are the applications[*] that a central CA store provided by the openssl libraries are supposed to provide validation for? Well, it could be anything that uses SSL/TLS. Why should we assume that it is appropriate to trust the same set of CAs as are used to validate websites? Much of the time, that is exactly what you don't want to do -- frequently you only want to trust a small private group, where you know all the other parties already. In this case, having system updates gratuitously install some other set of CA certs is a gross security violation. FreeBSD doesn't assume anything much about the way anyone is going to use it. This comes as a bit of a shock to many users of other OSes, who are used to something much more pre-configured to specific use cases. This is a gap that PC-BSD fills. Personally, I'd be quite happy describing PC-BSD as a "distro" of FreeBSD aimed at desktop users, although I don't know what the PC-BSD folks would think of that. Cheers Matthew [*] In fact, most applications that use SSL/TLS will have their own facilities for keeping a chain of trusted CAs outside /etc/ssl. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig48C7FAEDD4E1D3A867685A0B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2W4hIACgkQ8Mjk52CukIxeywCfaTAtdBiJoH5c3iyG2PSuE+h6 UAoAn2yf6D7Ooarb2F/vHDFc8njlPwdp =lAin -----END PGP SIGNATURE----- --------------enig48C7FAEDD4E1D3A867685A0B--