From owner-freebsd-security@FreeBSD.ORG  Mon Apr  4 19:35:46 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80AAC1065672
	for <freebsd-security@freebsd.org>;
	Mon,  4 Apr 2011 19:35:46 +0000 (UTC)
	(envelope-from lx@redundancy.redundancy.org)
Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net
	[75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 4B41D8FC0A
	for <freebsd-security@freebsd.org>;
	Mon,  4 Apr 2011 19:35:46 +0000 (UTC)
Received: (qmail 35858 invoked by uid 1001); 4 Apr 2011 19:36:09 -0000
Date: Mon, 4 Apr 2011 12:36:09 -0659
From: "David E. Thiel" <lx@FreeBSD.org>
To: freebsd-security@freebsd.org
Message-ID: <20110404193545.GN18694@redundancy.redundancy.org>
References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
X-Face: %H~{$1~NOw1y#%mM6{|4:/<p]y9X%E+4%:1wo-M!re,
	zl.qH~yzbL-MWhtp$3QuKP&di/a{FOctD[FuX.\n4U*,
	M{TJg$oYp663.NyX!%H~~Tw$eR9xZU5W?1BM#t"a@'27^2x
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 19:35:46 -0000

On Fri, Apr 01, 2011 at 03:32:51PM +0100, István wrote:
> FreeBSD ships OpenSSL but it is broken because there is no CA. Right, 
> it is like shipping a car without wheels, I suppose.

While I agree somewhat with your sentiment, SSL is not necessarily 
broken without CA certificates, as it's completely possible to do TOFU 
verification ala SSH.

However, I think it's an appropriate time to mention again that there is 
at least one place in base that does indeed have broken SSL support, 
namely libfetch. To do SSL properly, you can do CA certificate 
verification or you can do TOFU, but libfetch still accepts any 
certificate it encounters, without user warning.