From owner-freebsd-security@FreeBSD.ORG  Fri Apr  1 14:59:38 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 32EF51065678
	for <freebsd-security@freebsd.org>;
	Fri,  1 Apr 2011 14:59:38 +0000 (UTC)
	(envelope-from leccine@gmail.com)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id B652E8FC22
	for <freebsd-security@freebsd.org>;
	Fri,  1 Apr 2011 14:59:37 +0000 (UTC)
Received: by bwz12 with SMTP id 12so3155852bwz.13
	for <freebsd-security@freebsd.org>;
	Fri, 01 Apr 2011 07:59:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:date:message-id:subject:from:to
	:content-type; bh=fgOK3Uxw8OIzRvrjFdDgXurEG3vGosHs9u1AZDaA190=;
	b=WdEYIP+8ipCmphF7iqk4ufyjZQ+uES6h2OiuwSVFhqXvK/6WKY0LtYx2unBQ/34fYe
	OrVhPbfah1jTGWU1NrTyUr5X/WR+ii7rVB0V32kNMCRxVhi5IzrjsblfO+DpF+rOoP4Y
	+pePDkAfTDb0qXguQxHsa8YRrUcaWiJQWv6SI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=hetBtYdeA5LNgjSv8eNGbaD7De/BqsVZHfRDc3z2iYZcEkribGBDCYXlvocLNkpC1V
	Bu75mogQQ3VZ1rytb+kLxLr9dJRb1MpqECyfOva9GglSSI9F/O+p6X3w7mRUy+ISB2qf
	9Sr/sjRBkAt5P8f9EPtsJmM9bTydzhhxxEXA4=
MIME-Version: 1.0
Received: by 10.204.151.207 with SMTP id d15mr359412bkw.123.1301668395789;
	Fri, 01 Apr 2011 07:33:15 -0700 (PDT)
Received: by 10.204.62.13 with HTTP; Fri, 1 Apr 2011 07:33:15 -0700 (PDT)
Date: Fri, 1 Apr 2011 15:33:15 +0100
Message-ID: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
From: =?UTF-8?Q?Istv=C3=A1n?= <leccine@gmail.com>
To: freebsd-security <freebsd-security@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 14:59:38 -0000

Hi folks,

Could somebody explain to me how is it possible to ship an operating system
without testing basic functionality like SSL working? Unfortunately the
problem is still there after installing the following port:

/usr/ports/security/ca_root_nss

http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22

<http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22>About
1,490 results (0.14 seconds)
openssl s_client -connect 72.21.203.148:443 </dev/null | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates

depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
notBefore=Oct  8 00:00:00 2010 GMT
notAfter=Oct  7 23:59:59 2013 GMT

FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is
like shipping a car without wheels, I suppose.

Is there a reason to do this?

How much effort would be to ship a complete SSL stack, including the root
CAs, just like any other vendor/community does?

Thanks.

I.

-- 
the sun shines for all