From owner-freebsd-security@FreeBSD.ORG Mon Apr 4 19:35:46 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80AAC1065672 for ; Mon, 4 Apr 2011 19:35:46 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net [75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 4B41D8FC0A for ; Mon, 4 Apr 2011 19:35:46 +0000 (UTC) Received: (qmail 35858 invoked by uid 1001); 4 Apr 2011 19:36:09 -0000 Date: Mon, 4 Apr 2011 12:36:09 -0659 From: "David E. Thiel" To: freebsd-security@freebsd.org Message-ID: <20110404193545.GN18694@redundancy.redundancy.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Face: %H~{$1~NOw1y#%mM6{|4:/ List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2011 19:35:46 -0000 On Fri, Apr 01, 2011 at 03:32:51PM +0100, István wrote: > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, > it is like shipping a car without wheels, I suppose. While I agree somewhat with your sentiment, SSL is not necessarily broken without CA certificates, as it's completely possible to do TOFU verification ala SSH. However, I think it's an appropriate time to mention again that there is at least one place in base that does indeed have broken SSL support, namely libfetch. To do SSL properly, you can do CA certificate verification or you can do TOFU, but libfetch still accepts any certificate it encounters, without user warning. From owner-freebsd-security@FreeBSD.ORG Mon Apr 4 20:57:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91119106564A for ; Mon, 4 Apr 2011 20:57:10 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from mail35.syd.optusnet.com.au (mail35.syd.optusnet.com.au [211.29.133.51]) by mx1.freebsd.org (Postfix) with ESMTP id 22C288FC12 for ; Mon, 4 Apr 2011 20:57:09 +0000 (UTC) Received: from server.vk2pj.dyndns.org (c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103]) by mail35.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id p34Kv6En022080 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Apr 2011 06:57:08 +1000 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.4/8.14.4) with ESMTP id p34Kv6qE052232; Tue, 5 Apr 2011 06:57:06 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.4/8.14.4/Submit) id p34Kv53K052231; Tue, 5 Apr 2011 06:57:05 +1000 (EST) (envelope-from peter) Date: Tue, 5 Apr 2011 06:57:05 +1000 From: Peter Jeremy To: Miguel Lopes Santos Ramos Message-ID: <20110404205705.GA52172@server.vk2pj.dyndns.org> References: <1301729856.5812.12.camel@w500.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: <1301729856.5812.12.camel@w500.local> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2011 20:57:10 -0000 --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2011-Apr-02 08:37:36 +0100, Miguel Lopes Santos Ramos wrote: >The only root CAs that could be included by default would be those of >governments (but which governments do you trust?) and things like >CAcert.org. Actually, there was a certificate port that included CAcert.org but the port was dropped for various reasons. And Mozilla doesn't currently trust CAcert.org so why should FreeBSD? (Note that Mozilla has defined an audit process to verify CAs and CAcert.org is slowly working towards compliance). It has occurred to me that maybe the FreeBSD SO should create a root cert and distribute that with FreeBSD. That certificate would at least have the same trust level as FreeBSD. --=20 Peter Jeremy --17pEHd4RhPHOinZp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEARECAAYFAk2aMKEACgkQ/opHv/APuIfRFgCglW0Sh1pCJV+N7oC/oTREIWKY WgAAn1XM+OGNSG50uB3CWqKfxYHIAAri =2R1w -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 00:17:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84059106564A for ; Tue, 5 Apr 2011 00:17:21 +0000 (UTC) (envelope-from richo@psych0tik.net) Received: from bedford.accountservergroup.com (50.22.11.19-static.reverse.softlayer.com [50.22.11.19]) by mx1.freebsd.org (Postfix) with ESMTP id 4AD338FC15 for ; Tue, 5 Apr 2011 00:17:21 +0000 (UTC) Received: from boxand.lnk.telstra.net ([203.45.130.125] helo=richh-desktop.boxdice.com.au) by bedford.accountservergroup.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1Q6srE-0007Ba-RQ for freebsd-security@freebsd.org; Mon, 04 Apr 2011 18:06:53 -0500 Date: Tue, 5 Apr 2011 09:05:47 +1000 From: richo To: freebsd-security@freebsd.org Message-ID: <20110404230546.GA25778@richh-desktop.boxdice.com.au> References: <1301729856.5812.12.camel@w500.local> <20110404205705.GA52172@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <20110404205705.GA52172@server.vk2pj.dyndns.org> X-PGP-Key: http://natalya.psych0tik.net/~richo/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bedford.accountservergroup.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - psych0tik.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 00:17:21 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 05/04/11 06:57 +1000, Peter Jeremy wrote: >On 2011-Apr-02 08:37:36 +0100, Miguel Lopes Santos Ramos wrote: >>The only root CAs that could be included by default would be those of >>governments (but which governments do you trust?) and things like >>CAcert.org. > >Actually, there was a certificate port that included CAcert.org but >the port was dropped for various reasons. And Mozilla doesn't >currently trust CAcert.org so why should FreeBSD? (Note that Mozilla >has defined an audit process to verify CAs and CAcert.org is slowly >working towards compliance). > >It has occurred to me that maybe the FreeBSD SO should create a root >cert and distribute that with FreeBSD. That certificate would at >least have the same trust level as FreeBSD. > >--=20 >Peter Jeremy But what would that CA trust? You'd then find yourself back in the original debate of what is considered trustworthy, which I agree is an issue for the user and not for the distribution. Out of idle curiosity, what does OpenBSD ship with their SSL implementation? richo --=20 richo || Today's excuse:=20 We didn't pay the Internet bill and it's been cut off. --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJNmk7KAAoJEIKiWz6J5yQV61cH/1Kq/xqDAiC7Zo8T7hqLA/qh awy64wKbBadSmgETrss55WJZb0QdIcFnza4Cplej3yBQXPWTayP0McPrajOYGajc OS7iLTy/MxR6kNmBf/aqFcPiZo6eF1pfigIvKlrEc+o9gHWPTQw3fQ1j8pf6T0HS dVQf0Uw0+/IIUhy/JiI6qTaXTTFRxuXJi9C0PW4siICQp6gO8Q8Ep+Nb1u1BQdvw 0c4cYW7sZwRVM1+keCFTdWxzN5VA38wS2H2/NVYgsdIRqhiFUCM3GYWch1tkdg/T kUoQZbkuypSRoqsww/YvFBTKhlhpgbnjD+EAyk1k2IDVrcAyRcdVb0FIhHweKpU= =smOp -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 01:58:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEB5C106564A for ; Tue, 5 Apr 2011 01:58:55 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) by mx1.freebsd.org (Postfix) with ESMTP id 60BA08FC0A for ; Tue, 5 Apr 2011 01:58:55 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.4/8.14.4) with ESMTP id p351wsoG057514; Mon, 4 Apr 2011 21:58:54 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.4/8.14.4/Submit) id p351wsix057511; Mon, 4 Apr 2011 21:58:54 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19866.30558.24345.112771@hergotha.csail.mit.edu> Date: Mon, 4 Apr 2011 21:58:54 -0400 From: Garrett Wollman To: richo In-Reply-To: <20110404230546.GA25778@richh-desktop.boxdice.com.au> References: <1301729856.5812.12.camel@w500.local> <20110404205705.GA52172@server.vk2pj.dyndns.org> <20110404230546.GA25778@richh-desktop.boxdice.com.au> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (hergotha.csail.mit.edu [127.0.0.1]); Mon, 04 Apr 2011 21:58:54 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on hergotha.csail.mit.edu X-Mailman-Approved-At: Tue, 05 Apr 2011 02:39:27 +0000 Cc: freebsd-security@freebsd.org Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 01:58:55 -0000 < said: > On 05/04/11 06:57 +1000, Peter Jeremy wrote: >> It has occurred to me that maybe the FreeBSD SO should create a root >> cert and distribute that with FreeBSD. That certificate would at >> least have the same trust level as FreeBSD. >> >> -- >> Peter Jeremy > But what would that CA trust? The certificates he also generates for services like freebsd-update and portsnap. And probably also a certificate for use in email to the security-officer role, so that those benighted people who only have access to S/MIME email can still send him private messages. Ideally it would also be used to sign the CHECKSUMS files on the FTP site, so that the installer could check whether it was talking to an authentic mirror site and ask the user what to do. -GAWollman From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 06:50:03 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4F46106566C for ; Tue, 5 Apr 2011 06:50:03 +0000 (UTC) (envelope-from Dan.VanPelt@wwu.edu) Received: from Exch2010Edge-2.cms.wwu.edu (exch2010edge-2.cms.wwu.edu [140.160.248.53]) by mx1.freebsd.org (Postfix) with ESMTP id 9E2F38FC08 for ; Tue, 5 Apr 2011 06:50:03 +0000 (UTC) Received: from EXCH2010HT-2.univ.dir.wwu.edu (140.160.248.91) by Exch2010Edge-2.cms.wwu.edu (140.160.248.53) with Microsoft SMTP Server (TLS) id 14.1.270.1; Mon, 4 Apr 2011 23:39:10 -0700 Received: from EXCH2010MB-3.univ.dir.wwu.edu ([140.160.248.56]) by Exch2010HT-2.univ.dir.wwu.edu ([140.160.248.91]) with mapi id 14.01.0270.001; Mon, 4 Apr 2011 23:37:31 -0700 From: Dan Van Pelt To: Garrett Wollman Thread-Topic: SSL is broken on FreeBSD Thread-Index: AQHL8H2AHgxhZDBfkUu9WF170P0l0pRKpgkAgAQECYCAACP1gIAAMF8A///Yfhg= Date: Tue, 5 Apr 2011 06:39:18 +0000 Message-ID: References: <1301729856.5812.12.camel@w500.local> <20110404205705.GA52172@server.vk2pj.dyndns.org> <20110404230546.GA25778@richh-desktop.boxdice.com.au>, <19866.30558.24345.112771@hergotha.csail.mit.edu> In-Reply-To: <19866.30558.24345.112771@hergotha.csail.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 05 Apr 2011 12:50:14 +0000 Cc: richo , "freebsd-security@freebsd.org" Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 06:50:03 -0000 On Apr 4, 2011, at 7:39 PM, "Garrett Wollman" wrot= e: > < said: >=20 >> On 05/04/11 06:57 +1000, Peter Jeremy wrote: >>> It has occurred to me that maybe the FreeBSD SO should create a root >>> cert and distribute that with FreeBSD. That certificate would at >>> least have the same trust level as FreeBSD. >>>=20 >>> --=20 >>> Peter Jeremy >=20 >> But what would that CA trust? >=20 > The certificates he also generates for services like freebsd-update > and portsnap. And probably also a certificate for use in email to the > security-officer role, so that those benighted people who only have > access to S/MIME email can still send him private messages. Ideally > it would also be used to sign the CHECKSUMS files on the FTP site, so > that the installer could check whether it was talking to an authentic > mirror site and ask the user what to do. >=20 Not ideally, but rather critically, should the CHECKSUMS files be signed wi= th some well guarded and official public key. Not to sound paranoid or any= thing... I would welcome having a 'FreeBSD' root certificate ship with the OS but wo= uld leave the other certs to the domain of a port that I install when neede= d. FWIW (and forgive me if this is already the case) it would be nice to h= ave a port equivalent to security/ca_root_nss that would allow the user to = select which certs get installed during configuration. Cheers, Dan van Pelt From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 21:33:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 060A8106564A for ; Tue, 5 Apr 2011 21:33:57 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id B2B1E8FC17 for ; Tue, 5 Apr 2011 21:33:56 +0000 (UTC) Received: by qyk35 with SMTP id 35so2114415qyk.13 for ; Tue, 05 Apr 2011 14:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BNErryo/k8EqGwLWeFf5bct+P1YHUiEzyAVBEPFMEp8=; b=u+PZXLMMaCkz/Wl7MKqgeWvThHaY+7HjiHqivbgK4gFLAMMRBom2gQ5IeXsQbwYSnR BKz4fpGBm7rLU/+wdRi/OKnm/8M67dJHZ+JCcM4fXPecZjjWxLxr7SwktSOLzlPzTCyw FOUVtWP9x1075byWZL3WUUWjhGddsmFFeCdVM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=F/nCstrSX0jGQfKodciAcmFxmsD6g+a0smY+vF0vJoWSpNPeUwopuo5KAglSmYe4BU nAdL6qpXEh1Bu5D7M66RNlJ/TTwUNl84K3/o3zgp/MMmaXwUpydprK+18nhHs9noGs0D D20hoebZMt7PEcLka5zx7ZHlR1rL4HtpedUe4= MIME-Version: 1.0 Received: by 10.229.28.68 with SMTP id l4mr169680qcc.93.1302037910378; Tue, 05 Apr 2011 14:11:50 -0700 (PDT) Received: by 10.229.183.81 with HTTP; Tue, 5 Apr 2011 14:11:50 -0700 (PDT) In-Reply-To: References: Date: Wed, 6 Apr 2011 00:11:50 +0300 Message-ID: From: Dmytro Pryanyshnikov To: =?ISO-8859-1?B?SXN0duFu?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 21:33:57 -0000 Hello! On Fri, Apr 1, 2011 at 5:33 PM, Istv=E1n wrote: > Could somebody explain to me how is it possible to ship an operating syst= em > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > > openssl s_client -connect 72.21.203.148:443 /dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 20 (unable to get local issuer certificate) dmitry@lynx$ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 0 (ok) So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to be used by the ''openssl s_client" command by default (without -CAfile command line argument). Alas, both openssl(1) and s_client(1) lack FILES section so it's unclear whether default value for -CAfile can be specified in some configuration file. Moreover, openssl(1) refers to config(5), but 'man 5 config' tells about the FreeBSD kernel config, not OpenSSL's one. But yes, installing security/ca_root_nss port _and_ specifying '-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your problem. --=20 Sincerely, Dmytro From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 22:48:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35DEF106564A for ; Tue, 5 Apr 2011 22:48:52 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125]) by mx1.freebsd.org (Postfix) with ESMTP id ED5DC8FC13 for ; Tue, 5 Apr 2011 22:48:51 +0000 (UTC) Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12]) by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p35MU0EC019770 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Apr 2011 18:30:00 -0400 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p35MUC1r014563; Tue, 5 Apr 2011 18:30:12 -0400 Received: (from cameron@localhost) by linux116.ctc.com (8.13.8/8.13.8/Submit) id p35MUCGN030031; Tue, 5 Apr 2011 18:30:12 -0400 X-Authentication-Warning: linux116.ctc.com: cameron set sender to cameron@ctc.com using -f From: "Frank J. Cameron" To: Dmytro Pryanyshnikov In-Reply-To: References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organization: Concurrent Technologies Corp. Date: Tue, 05 Apr 2011 18:30:12 -0400 Message-Id: <1302042612.3271.100.camel@linux116.ctc.com> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Cc: =?ISO-8859-1?Q?Istv=E1n?= , freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 22:48:52 -0000 On Tue, 2011-04-05 at 17:11 -0400, Dmytro Pryanyshnikov wrote: > Actually, as I can see, just installing the ca_root_nss > port (even with ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem") > isn't enough for feeding installed .crt file to 'openssl s_client' > command: > > dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null < > /dev/null |egrep '^[[:space:]]*Verify return code:' > Verify return code: 20 (unable to get local issuer certificate) > > dmitry@lynx$ openssl s_client -CAfile > /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443 > 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' > Verify return code: 0 (ok) > > So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to > be used by the ''openssl s_client" command by default (without -CAfile > command line argument). http://curl.haxx.se/mail/archive-2003-07/0036.html Unfortunately, the information about this is not in the current OpenSSL documentation. You have to read the source code or see discussion about it in the openssl-dev mailing list. There is a reference to the X509_get_default_cert_file and X509_get_default_cert_file_env in the obsolete ssleay.txt file in the OpenSSL document directory, but that is about it. The only references that I know to the SSL_CERT_FILE and SSL_CERT_DIR environment variables (other than in the source code itself) are in the old "SSLeay and SSLapps FAQ" which is not distributed with OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypto/"). See some correspondence about these defaults in the openssl-dev mailing list in a thread started by me in December 2002 (with a fix for the code by Richard Levitte and Rich Salz): "http://marc.theaimsgroup.com/?l=openssl-dev&m=103899056011520" The default name for the ca cert bundle is defined in crypto/cryptlib.h, as are the environment variables SSL_CERT_FILE and SSL_CERT_DIR. http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptlib.h #define X509_CERT_FILE OPENSSLDIR "/cert.pem" http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile OPENSSLDIR=/usr/local/ssl So, should the port be linking?: /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 00:00:03 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C527F106564A for ; Wed, 6 Apr 2011 00:00:03 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [IPv6:2001:718:1e03:a01::a]) by mx1.freebsd.org (Postfix) with ESMTP id 4A30C8FC08 for ; Wed, 6 Apr 2011 00:00:03 +0000 (UTC) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (kgw.obluda.cz [193.179.199.50]) by smtp1.kolej.mff.cuni.cz (8.14.4/8.14.4) with ESMTP id p35NxpUl039725; Wed, 6 Apr 2011 01:59:52 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4D9BACF6.4060205@obluda.cz> Date: Wed, 06 Apr 2011 01:59:50 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.18) Gecko/20110329 SeaMonkey/2.0.13 MIME-Version: 1.0 To: "Frank J. Cameron" References: <1302042612.3271.100.camel@linux116.ctc.com> In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 00:00:03 -0000 On 04/06/11 00:30, Frank J. Cameron: > The default name for the ca cert bundle is defined in > crypto/cryptlib.h, as are the environment variables > SSL_CERT_FILE and SSL_CERT_DIR. May be. But as far as I know those variables doesn't affect the s_client application. > So, should the port be linking?: > /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt Even in the case I'm not true and there IS "implicit -CApath" then my answer to your question is "No". 1. Installation of ca-root-nss.crt doesn't mean it's installed for use with openssl. So we should not affect the openssl behavior automatically. 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default. Installation of ca-root-nss should not hit all users of system automatically. Dan From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 01:01:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 239251065677 for ; Wed, 6 Apr 2011 01:01:33 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [IPv6:2001:718:1e03:a01::a]) by mx1.freebsd.org (Postfix) with ESMTP id AB8418FC1D for ; Wed, 6 Apr 2011 01:01:32 +0000 (UTC) X-Envelope-From: dan@obluda.cz Received: from [127.0.0.1] (kgw.obluda.cz [193.179.199.50]) by smtp1.kolej.mff.cuni.cz (8.14.4/8.14.4) with ESMTP id p3611Tng041443; Wed, 6 Apr 2011 03:01:31 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4D9BBB6A.9020200@obluda.cz> Date: Wed, 06 Apr 2011 03:01:30 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110320 SeaMonkey/2.0.13 MIME-Version: 1.0 To: Chuck Swiger References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> In-Reply-To: <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 110405-1, 05.04.2011), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 01:01:33 -0000 On 6.4.2011 2:15, Chuck Swiger: >> 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default > There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role. I has been network administrator in bank. Be sure that "instalation of a data pack" is very different task that "change security related behavior of program that may/will affect all users". In the environment you mentioned, e.g. company taking security questions seriously, the skilled administrator (and/or security officer) will evaluate the situation and will create the link that affect all users, if apropriate. It will not be interested in blind "automagic" change. As I said before. Instalation of CA bundle SHOULD NOT affect all users automatically. The "pkg_add" don't know who install such pack nor why such pack is installed for so it can't decide the answer. Just my $0.02 Dan From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 01:15:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BF2B106564A for ; Wed, 6 Apr 2011 01:15:57 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout027.mac.com (asmtpout027.mac.com [17.148.16.102]) by mx1.freebsd.org (Postfix) with ESMTP id 741558FC13 for ; Wed, 6 Apr 2011 01:15:57 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp027.mac.com (Oracle Communications Messaging Exchange Server 7u4-18.01 64bit (built Jul 15 2010)) with ESMTPSA id <0LJ7007ELFDQRW30@asmtp027.mac.com> for freebsd-security@freebsd.org; Tue, 05 Apr 2011 17:15:27 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.2.15,1.0.148,0.0.0000 definitions=2011-04-05_10:2011-04-05, 2011-04-05, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1104050193 From: Chuck Swiger In-reply-to: <4D9BACF6.4060205@obluda.cz> Date: Tue, 05 Apr 2011 17:15:26 -0700 Message-id: <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> To: Dan Lukes X-Mailer: Apple Mail (2.1084) Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 01:15:57 -0000 On Apr 5, 2011, at 4:59 PM, Dan Lukes wrote: > 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default. Installation of ca-root-nss should not hit all users of system automatically. Well, that depends on who owns and manages the machine in question, and what it is being used for. There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role. Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 05:45:45 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8151B106566B for ; Wed, 6 Apr 2011 05:45:45 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3156E8FC0A for ; Wed, 6 Apr 2011 05:45:45 +0000 (UTC) Received: by iyj12 with SMTP id 12so1321035iyj.13 for ; Tue, 05 Apr 2011 22:45:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=sJWr2VNwXmR0Xc9MvuDqXceKumVWM31ZNua0MIwJjzE=; b=J2dUoW+0sVFl3wDz55+MiEkjzNp2fLOtBz4eewWTnS+Hnr+YmWkcBDsBV4PFw8IvvQ TASmdPotM0hPJ7koe88KlaA1XarBNhnTrKhVAX22KDI93K5lj+x1eFey7Q+4FkzRzOKi DUqyIPFcmnrHexA26W809bXnlOimhq04gEM6w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=ngM9+YWoQ0ottOak1k/cWJaC59PHP4mowWN9zssrU7EJXfmSdNF5v3q0awyWQbxVC6 KkmQBjK2Tf+JoeM2Eo0a3AyLkhwYSyCiWWba7ktoR1Q8HYhlFsilwmPY2cP91oh/vavf cK+wKeCYHfZmO1eDqi4vB2rSn13DIrSn8Zyp0= Received: by 10.231.10.139 with SMTP id p11mr520129ibp.194.1302068744480; Tue, 05 Apr 2011 22:45:44 -0700 (PDT) Received: from DataIX.net (adsl-99-190-87-163.dsl.klmzmi.sbcglobal.net [99.190.87.163]) by mx.google.com with ESMTPS id d9sm176078ibb.53.2011.04.05.22.45.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 05 Apr 2011 22:45:42 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p365jdWr004950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 01:45:40 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p365jcNs004949; Wed, 6 Apr 2011 01:45:38 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Wed, 6 Apr 2011 01:45:37 -0400 From: jhell To: Dan Lukes Message-ID: <20110406054537.GA2332@DataIX.net> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> <4D9BBB6A.9020200@obluda.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline In-Reply-To: <4D9BBB6A.9020200@obluda.cz> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 05:45:45 -0000 --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 06, 2011 at 03:01:30AM +0200, Dan Lukes wrote: > On 6.4.2011 2:15, Chuck Swiger: > >>2. Such link will affect all users of system. Decision "what CA is trus= tful" should remain personal decision, not the system administrator decisio= n, by default > >There are differences between your personal machine, for which you as an= individual are welcome to make all of the decisions, and a managed box whi= ch is owned by a company which might have a specific PKI infrastructure whi= ch is needed for the machine to be usable for it's intended role. >=20 > I has been network administrator in bank. Be sure that "instalation > of a data pack" is very different task that "change security related > behavior of program that may/will affect all users". >=20 > In the environment you mentioned, e.g. company taking security > questions seriously, the skilled administrator (and/or security > officer) will evaluate the situation and will create the link that > affect all users, if apropriate. >=20 > It will not be interested in blind "automagic" change. >=20 > As I said before. Instalation of CA bundle SHOULD NOT affect all > users automatically. The "pkg_add" don't know who install such pack > nor why such pack is installed for so it can't decide the answer. >=20 This is a lost cause, Just to add another .02 bringing the total to somewhere in the 100's. If you truss the command above before and after creating so said links in /usr/local/etc/ssl and in /etc/ssl youll see that there is no default CAfile or CApath searched for. s_client(1) The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers [...] Maybe there should be an emphasis on ``diagnostic'' Security is not something that should compromised by a default configuration but something that should be taught by example for the end-user if they so require it. So with that in mind it might not be such a bad idea to add a "SSL The FreeBSD way." chapter to the handbook that would assist in a security researchers final decision to implement the correct changes they are looking for. Food for thought. --=20 Regards, J. Hellenthal JJH48-ARIN 0x89D8547E --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNm/4BAAoJEJBXh4mJ2FR+DCgH/1p3y3kXZYjEhaQqMIOZuQ/k Kgx4xk9lmAxOPOYjagSo//tW+QGG1AIwy0e5rRheuT9vKXTlqAXaX1fBnG3YvjgP rsqNIvIHjPOmKz2+oTZIOCJ4tGa8Wf/L4Gpyr5PIyObrhfkxxEF1yBNboZmxYbGu xKrm9SzW3RQJY7tKDLTW3hCudSdJ7huyx17SA4DyxUmCeUIJ0jiBLXuFPsa4F4Y6 mRN00GL2jqspOHnEBXZ2gRT6rlBtR+x6DsfMXg5iW91alxtGMX3xD6feTvaCILKH zlZradZa5QxdYolmnUEzRvDOjFyVKHUTawBBp0OGzuhxjlfiAkTLAT9dsX/7SS4= =zKhM -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 13:25:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B28FF106564A for ; Wed, 6 Apr 2011 13:25:21 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125]) by mx1.freebsd.org (Postfix) with ESMTP id 78B608FC18 for ; Wed, 6 Apr 2011 13:25:21 +0000 (UTC) Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12]) by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p36DP7fQ003126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 09:25:07 -0400 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p36DPJ6O016045; Wed, 6 Apr 2011 09:25:19 -0400 Received: (from cameron@localhost) by linux116.ctc.com (8.13.8/8.13.8/Submit) id p36DPIa5007344; Wed, 6 Apr 2011 09:25:18 -0400 X-Authentication-Warning: linux116.ctc.com: cameron set sender to cameron@ctc.com using -f From: "Frank J. Cameron" To: Dan Lukes In-Reply-To: <4D9BACF6.4060205@obluda.cz> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organization: Concurrent Technologies Corp. Date: Wed, 06 Apr 2011 09:25:18 -0400 Message-Id: <1302096318.3271.114.camel@linux116.ctc.com> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:25:21 -0000 On Tue, 2011-04-05 at 19:59 -0400, Dan Lukes wrote: > > So, should the port be linking?: > > /usr/local/ssl/cert.pem > -> /usr/local/share/certs/ca-root-nss.crt > > Even in the case I'm not true and there IS "implicit -CApath" then my > answer to your question is "No". > > 1. Installation of ca-root-nss.crt doesn't mean it's installed for > use > with openssl. So we should not affect the openssl behavior > automatically. It was my assumption that the port build was offering to create the link (Dmytro Pryanyshnikov: 'ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem"') and I assume that the default would be no (though that would be up to the port maintainer I suppose). ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 13:33:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B808106564A for ; Wed, 6 Apr 2011 13:33:34 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125]) by mx1.freebsd.org (Postfix) with ESMTP id E41EF8FC0C for ; Wed, 6 Apr 2011 13:33:33 +0000 (UTC) Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12]) by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p36DXEXI003746 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 09:33:14 -0400 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p36DXQ0L017107; Wed, 6 Apr 2011 09:33:26 -0400 Received: (from cameron@localhost) by linux116.ctc.com (8.13.8/8.13.8/Submit) id p36DXQhg007587; Wed, 6 Apr 2011 09:33:26 -0400 X-Authentication-Warning: linux116.ctc.com: cameron set sender to cameron@ctc.com using -f From: "Frank J. Cameron" To: jhell In-Reply-To: <20110406054537.GA2332@DataIX.net> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> <4D9BBB6A.9020200@obluda.cz> <20110406054537.GA2332@DataIX.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organization: Concurrent Technologies Corp. Date: Wed, 06 Apr 2011 09:33:26 -0400 Message-Id: <1302096806.3271.122.camel@linux116.ctc.com> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:33:34 -0000 On Wed, 2011-04-06 at 01:45 -0400, jhell wrote: > If you truss the command above before and after creating so said links > in /usr/local/etc/ssl and in /etc/ssl youll see that there is no > default > CAfile or CApath searched for. Interesting, thanks. I don't have a FreeBSD box around at present so my guess was just from starting with s_client.c and reading through to the Makefile. > s_client(1) > The s_client command implements a generic SSL/TLS client which > connects to a remote host using SSL/TLS. It is a very useful > diagnostic tool for SSL servers > [...] > Maybe there should be an emphasis on ``diagnostic'' Agreed. From openssl(1): "s_client ... It's intended for testing purposes only..." ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 14:48:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B4F91065672 for ; Wed, 6 Apr 2011 14:48:39 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125]) by mx1.freebsd.org (Postfix) with ESMTP id 4F94D8FC12 for ; Wed, 6 Apr 2011 14:48:38 +0000 (UTC) Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12]) by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p36EmPWt009579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 10:48:25 -0400 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p36EmbZK027346; Wed, 6 Apr 2011 10:48:37 -0400 Received: (from cameron@localhost) by linux116.ctc.com (8.13.8/8.13.8/Submit) id p36Emb2h008722; Wed, 6 Apr 2011 10:48:37 -0400 X-Authentication-Warning: linux116.ctc.com: cameron set sender to cameron@ctc.com using -f From: "Frank J. Cameron" To: Scot Hetzel In-Reply-To: References: <1302042612.3271.100.camel@linux116.ctc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organization: Concurrent Technologies Corp. Date: Wed, 06 Apr 2011 10:48:37 -0400 Message-Id: <1302101317.3271.146.camel@linux116.ctc.com> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 14:48:39 -0000 On Wed, 2011-04-06 at 10:43 -0400, Scot Hetzel wrote: > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile > > OPENSSLDIR=/usr/local/ssl > > > FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL > as part of a buildworld, instead we use our own custom Makefiles in > secure/lib/libcrypto. The only place where OPENSSLDIR is defined is > in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h > > http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-amd64.h?revision=194207&view=markup > > #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names > instead */ > #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) > #define ENGINESDIR "/usr/lib/engines" > #define OPENSSLDIR "/etc/ssl" > #endif > #endif Cool, thanks; I thought I might have been looking in the wrong place. ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:08:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 120141065672 for ; Wed, 6 Apr 2011 15:08:14 +0000 (UTC) (envelope-from swhetzel@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 903268FC12 for ; Wed, 6 Apr 2011 15:08:13 +0000 (UTC) Received: by bwz12 with SMTP id 12so1526019bwz.13 for ; Wed, 06 Apr 2011 08:08:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=iAptRqGzigoMF21ZT4iTaPT6mr2DATEkHXPGh3ktL0Q=; b=diwQbfZ/NG8wY0ZaJP0YKk2S8I6cJ0Hcd6U00c/CucoiMZ4StnenTaLweW8GlWpxr2 9aBqhcp6sQjwT6inSEXfiq2Mcdd1dtW0Zb6YaHOkONWDUzTc8xAln5w4DkwYz9yT93lJ o8X3IaOcDM6bPm3wQe4TcTZ8IGvHrUYL5+Zps= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=rhS3AdP9Yy7DUPCJFs4h29bdhLI774t8G0vZsz/m2MFSEddG8k2e405gwE2uaJzPn1 RtXhrF2XJ8ZWWe7a7sE5poI1eN7fh3k3NC1JyZjCWjGY7P7XyXVxYjiRFJm4kqNy5Fsl wITq55WR9VMF2GcOCYPGWb9V3mtOET0UB8+CE= MIME-Version: 1.0 Received: by 10.204.10.21 with SMTP id n21mr977701bkn.77.1302101013567; Wed, 06 Apr 2011 07:43:33 -0700 (PDT) Received: by 10.204.99.148 with HTTP; Wed, 6 Apr 2011 07:43:33 -0700 (PDT) In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com> References: <1302042612.3271.100.camel@linux116.ctc.com> Date: Wed, 6 Apr 2011 09:43:33 -0500 Message-ID: From: Scot Hetzel To: "Frank J. Cameron" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security , Dmytro Pryanyshnikov , =?ISO-8859-1?B?SXN0duFu?= Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 15:08:14 -0000 On Tue, Apr 5, 2011 at 5:30 PM, Frank J. Cameron wrote: >> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to >> be used by the ''openssl s_client" command by default (without -CAfile >> command line argument). > > http://curl.haxx.se/mail/archive-2003-07/0036.html > =A0 =A0 =A0 =A0Unfortunately, the information about this is not in the cu= rrent > =A0 =A0 =A0 =A0OpenSSL documentation. You have to read the source code or > =A0 =A0 =A0 =A0see discussion about it in the openssl-dev mailing list. > =A0 =A0 =A0 =A0There is a reference to the X509_get_default_cert_file and > =A0 =A0 =A0 =A0X509_get_default_cert_file_env in the obsolete ssleay.txt = file > =A0 =A0 =A0 =A0in > =A0 =A0 =A0 =A0the OpenSSL document directory, but that is about it. The = only > =A0 =A0 =A0 =A0references that I know to the SSL_CERT_FILE and SSL_CERT_D= IR > =A0 =A0 =A0 =A0environment variables (other than in the source code itsel= f) > =A0 =A0 =A0 =A0are > =A0 =A0 =A0 =A0in the old "SSLeay and SSLapps FAQ" which is not distribut= ed > =A0 =A0 =A0 =A0with > =A0 =A0 =A0 =A0OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypt= o/"). > =A0 =A0 =A0 =A0See some correspondence about these defaults in the openss= l-dev > =A0 =A0 =A0 =A0mailing list in a thread started by me in December 2002 > =A0 =A0 =A0 =A0(with a fix for the code by Richard Levitte and Rich Salz)= : > =A0 =A0 =A0 =A0"http://marc.theaimsgroup.com/?l=3Dopenssl-dev&m=3D1038990= 56011520" > > =A0 =A0 =A0 =A0The default name for the ca cert bundle is defined in > =A0 =A0 =A0 =A0crypto/cryptlib.h, as are the environment variables > =A0 =A0 =A0 =A0SSL_CERT_FILE and SSL_CERT_DIR. > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptli= b.h > =A0 =A0 =A0 =A0#define X509_CERT_FILE =A0 =A0 =A0 =A0 =A0OPENSSLDIR "/cer= t.pem" > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile > =A0 =A0 =A0 =A0OPENSSLDIR=3D/usr/local/ssl > FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL as part of a buildworld, instead we use our own custom Makefiles in secure/lib/libcrypto. The only place where OPENSSLDIR is defined is in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-am= d64.h?revision=3D194207&view=3Dmarkup #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) #define ENGINESDIR "/usr/lib/engines" #define OPENSSLDIR "/etc/ssl" #endif #endif > So, should the port be linking?: > /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt > The port is creating the correct link for the base install of openssl. Scotr