Date: Mon, 4 Apr 2011 12:36:09 -0659 From: "David E. Thiel" <lx@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: SSL is broken on FreeBSD Message-ID: <20110404193545.GN18694@redundancy.redundancy.org> In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 01, 2011 at 03:32:51PM +0100, István wrote: > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, > it is like shipping a car without wheels, I suppose. While I agree somewhat with your sentiment, SSL is not necessarily broken without CA certificates, as it's completely possible to do TOFU verification ala SSH. However, I think it's an appropriate time to mention again that there is at least one place in base that does indeed have broken SSL support, namely libfetch. To do SSL properly, you can do CA certificate verification or you can do TOFU, but libfetch still accepts any certificate it encounters, without user warning.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110404193545.GN18694>