From owner-freebsd-security@freebsd.org Tue Dec 15 22:07:59 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3610BA48687 for ; Tue, 15 Dec 2015 22:07:59 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0947B1757 for ; Tue, 15 Dec 2015 22:07:58 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 8E8E62113F for ; Tue, 15 Dec 2015 17:07:57 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Tue, 15 Dec 2015 17:07:57 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=n3ug5X/ToMvi2NtYNSza3uDgB9E=; b=KgyHKm yC6pGW4CEjfi7+/+vBKyFA6YMtnzQ/Ew59S4dWEeixDR8UfWprFm7kArX13TDnZX Ri44F+ZSCx8WD2WRCDbyu7qYN+1n3RFJCKU5DQwKq9UI8/pUVuVJQkAQ5Or/XvFY VTIxXLp8ewhX4ume+31E09UJ5LzVq0C+YYyzw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=n3ug5X/ToMvi2Nt YNSza3uDgB9E=; b=W2FwqxT66T9jnypoRq11pE92JQ5tppCaCJowhzZZYGofh27 1AvD60zAwKrKYrXTt176BbJm0oVoKHDM+53QmmXXLUWgR+Uv2vHQw8Y3sw6s4uCc +Cxwt820iqGYw25UsaROxwE+zmY+tqxSHT5814WSMSNLIZzBDrLsf4qlN2NQ= Received: by web3.nyi.internal (Postfix, from userid 99) id 5806310EAB3; Tue, 15 Dec 2015 17:07:57 -0500 (EST) Message-Id: <1450217277.41607.468482353.39090600@webmail.messagingengine.com> X-Sasl-Enc: ojYtfezCBGQbmtuc85c8AnHRnkR3xToPEClnZGDbka1y 1450217277 From: Mark Felder To: Robert Simmons , Greg Lewis Cc: ports-secteam@freebsd.org, freebsd-security@freebsd.org, java@freebsd.org, Greg Lewis , "Jung-uk Kim" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-5c8c9c89 In-Reply-To: References: <1447601433.2163074.440262121.5DEBCEDD@webmail.messagingengine.com> <1447682799.243430.441054785.7914EFBA@webmail.messagingengine.com> <1447685844.882362.441101225.09D0492D@webmail.messagingengine.com> <564A33F0.9010902@FreeBSD.org> <564A353B.3040102@FreeBSD.org> <20151117133552.GA37538@misty.eyesbeyond.com> Subject: Re: java/openjdk8 and jre Date: Tue, 15 Dec 2015 16:07:57 -0600 X-Mailman-Approved-At: Tue, 15 Dec 2015 22:13:12 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2015 22:07:59 -0000 On Sat, Dec 12, 2015, at 13:33, Robert Simmons wrote: > Hi, > > It looks like there is a holdup to pushing out u66. In the mean time, can > someone mark u60 vulnerable, please? > u66 is out, doesn't appear it was MFH to quarterly though? I have created a vuxml entry. Do the other openjdks need to be listed as affected as well? https://svnweb.freebsd.org/ports?view=revision&revision=403819 -- Mark Felder feld@feld.me From owner-freebsd-security@freebsd.org Wed Dec 16 13:42:21 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C78BDA48370 for ; Wed, 16 Dec 2015 13:42:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BEF521175; Wed, 16 Dec 2015 13:42:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id B23CF12E5; Wed, 16 Dec 2015 06:36:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:27.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20151216063620.B23CF12E5@freefall.freebsd.org> Date: Wed, 16 Dec 2015 06:36:20 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2015 13:42:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:27.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-12-16 Credits: ISC Affects: FreeBSD 9.x Corrected: 2015-12-16 06:10:05 UTC (stable/9, 9.3-STABLE) 2015-12-16 06:21:26 UTC (releng/9.3, 9.3-RELEASE-p32) CVE Name: CVE-2015-8000 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. II. Problem Description An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. III. Impact An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r292320 releng/9.3/ r292321 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWcQOeAAoJEO1n7NZdz2rnpUoQAIjWIowpcRnteiQ8xJFnebHN iXj0vEWBGXofefDF1QzMZe0+mu688Brw1UGC89alhJVKfcmUP66okW5KP+4KDWUp +jkIqjw0VLrWztc8V+YzGKkbFNprvYUKhzJJ/Y5TLjadqGRc5BBBDxwzY+9CnDfC P+OzaTHwO2HIrqclt5nVyhgBTXSGZHai6Eyw2fBuhmEqbOWNr4cBu8IVhAtvw6SR 0lFSSITZ2z6YrDTq7l7fkeJwv+MnerpBXfe57P6r6tbDzzmsmZiNKABsk9wW2lkP kuOTf14VNoMySCwQ60PUEtflERCTJ/QRZxZTbBRh4YZXJxPsERwj3dlfguMA/5Pq sO9cxbhSKdoaiswKev67uVUkJXCePb8YIfcxui9Wj5YgcYaN5Au9F/tX2xMmWwfp 2+XwiRkLoNao+NYrx6hAJjWxAUTZJJJhWvu6L7mpBiImsqczd5AJq52bqD/C2M5C v0acQ6ozNz2Fdkxy4YA1kuXm1STwFuCAfWSVYOpaLz42PeRrHzfqXFuAsoJCp8k1 2m2pFgLgQKGhje6XY9rtaFPLulGFDOem8tdYDHH94lgToinVIZ/+GcMbV4My7vr/ gWRnbzxr8J8/kdhUSp2+rlwnpdPEhgfcnxzwwr9F6duuwb5lLYCqNH/N4SOxRIAV En2VQ4vrDSCP7rszpvI7 =89Kp -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Fri Dec 18 12:00:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 480F9A4B520 for ; Fri, 18 Dec 2015 12:00:17 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FBE01A12 for ; Fri, 18 Dec 2015 12:00:16 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1a9thc-00087d-S1 for freebsd-security@freebsd.org; Fri, 18 Dec 2015 13:00:04 +0100 Received: from d86-32-49-49.cust.tele2.at ([86.32.49.49]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Dec 2015 13:00:04 +0100 Received: from r by d86-32-49-49.cust.tele2.at with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Dec 2015 13:00:04 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: rhi Subject: [OpenSSL] /etc/ssl/cert.pem not honoured by default Date: Fri, 18 Dec 2015 11:41:35 +0000 (UTC) Lines: 27 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 86.32.49.49 (Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 12:00:17 -0000 Hello, I have a FreeBSD 10.1 installation with security/ca_root_nss installed (with ETCSYMLINK). /etc/make.conf contains WITH_OPENSSL_BASE="YES", the port (security/openssl) is not installed. /etc/ssl/cert.pem points to /usr/local/share/certs/ca-root-nss.crt, which contains the CA certificates as expected. When I do openssl s_client -showcerts -host my.server -port 443, I get "Verify return code: 20 (unable to get local issuer certificate)", i.e. the certificate can't be verified. The same command with -CAfile openssl s_client -CAfile /etc/ssl/cert.pem -showcerts -host my.server -port 443 works ("Verify return code: 0 (ok)"). Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I get OpenSSL to use it by default? The problem is that net-im/ejabberd uses the default OpenSSL verification (when certificate verification is activated), and as far as I know, there's no possibility to specify an extra CAfile. This means that I can't use certificate validation with XMPP, which is not good... Do you have an idea? From owner-freebsd-security@freebsd.org Fri Dec 18 12:25:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25082A49855 for ; Fri, 18 Dec 2015 12:25:45 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C178C1BA6 for ; Fri, 18 Dec 2015 12:25:44 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id tBICPWxB045742 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 18 Dec 2015 12:25:39 GMT (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk tBICPWxB045742 Authentication-Results: smtp.infracaninophile.co.uk/tBICPWxB045742; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default To: freebsd-security@freebsd.org References: From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <5673FB3B.2010201@freebsd.org> Date: Fri, 18 Dec 2015 12:25:31 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 12:25:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/18/15 11:41, rhi wrote: > Is there any reason why /etc/ssl/cert.pem is not honoured by default? C= an I > get OpenSSL to use it by default? Is that the ports or the base version of openssl? I can recreate your results with the base openssl, but everything works as expected with the ports version: :# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com -port 443 WARNING: can't open config file: /usr/local/openssl/openssl.cnf CONNECTED(00000004) depth=3D3 C =3D SE, O =3D AddTrust AB, OU =3D AddTrust External TTP Netwo= rk, CN =3D AddTrust External CA Root verify return:1 [...] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5119 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002 Session-ID-ctx: Master-Key: 4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B44= 50FDA6EDD02063A8914A056 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb =2E.%$.,.p7lq..Fu. 0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7 _P.,X.r....`.T.. 0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89 \,.>...w.....|9. 0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb =2E...._.....w'... 0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc .4..Z6x. =2E.h.... 0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d ^..y^..f.5...q.. 0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4 .*Ja.Z[.f =2E...U. 0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef )L..5..S........ 0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19 =2Ev....b#.J.m../. 0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98 =2E..!.<.NOp..V .. 00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24 e..l...8...%X".$ Start Time: 1450441132 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C Generally I find that setting 'WITH_OPENSSL_PORT=3Dyes' is the route to crypto happiness in the ports. Cheers, Matthew --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWc/s7AAoJEABRPxDgqeTnKlsP/1NTQbfMPk09c7JMSpeuZaRM g9Jp+D8GAlViKIWwylyxl8kWF1I3aNGufAwuREBgbjyi0Jev9CRCXrYmXMfIGEcd Oijti/ewTRKEaN1cZHY3cVOgILRIkW7+HClWdUqQCRrMUOImDwosiCtd3tdqN9AL 6F1/tk4dPGfcN6k28cbN42Kc76V4DAvF5MzoSJ0DKZb5sV5+4aYsEiS+XazXz64N 7utt2+d63tP/mo16dkzCCxUT4tppGHIA1PHIKoiAxdqq+/NQ60mhE+LTO/EFeqdL hpiNXWMau4MDxZVb+bNzYQCq8k3wOfzC7zXyuKUjKWucU9opapzy9iSvsvdrTgdD Od10g8fWYo9GKWBlDPXb4lk3p43GSJj+kNquEdp3/6GWPOm14jeV3QZi5qW6gqMZ YnAYB1D/HvZJHMrWBJquQ/twohZqdOnXYSLIvL4ctLDCRYFjadqU11ykqbWlBPiu G2nNfUflFBWrU3mm5VyL9vmNuN+wM71PoxZU1iKKH5y+dN/Hw5uza85/gflr/WOu uiB+m4UC+bI+4Nl+Ao0asbNMWy4NATfi9hajBeThahmFn+/mXyS3/KEU1uS9STQV B7S/S2uHHtNlvuyZRmVjGkYJYs3zv0mqoPy4/A5JY080zmcrMdZYIlHuWDo6i7vV 5+ODrbbuMi6Imz4ClR8H =XS0i -----END PGP SIGNATURE----- --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi-- From owner-freebsd-security@freebsd.org Fri Dec 18 12:56:05 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D43CA4AEE9 for ; Fri, 18 Dec 2015 12:56:05 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D0A25181D for ; Fri, 18 Dec 2015 12:56:04 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id tBICtxEV060579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Fri, 18 Dec 2015 13:56:00 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default To: freebsd-security References: <5673FB3B.2010201@freebsd.org> From: Dan Lukes Message-ID: <56740260.1010308@obluda.cz> Date: Fri, 18 Dec 2015 13:56:00 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: <5673FB3B.2010201@freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 12:56:05 -0000 On 18.12.2015 13:25, Matthew Seaman wrote: > Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route to crypto happiness in the ports. Definitely. But beware of applications using system Kerberos libraries (it use system's OpenSSL). If an application import library A that depend on system's OpenSSL and library B that depend on port's OpenSSL the troubles are imminent. Dan From owner-freebsd-security@freebsd.org Fri Dec 18 15:47:25 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2EA13A4B7D1 for ; Fri, 18 Dec 2015 15:47:25 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7FDC1DE9 for ; Fri, 18 Dec 2015 15:47:24 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1a9xFZ-00010p-2U for freebsd-security@freebsd.org; Fri, 18 Dec 2015 16:47:21 +0100 Received: from d86-32-49-49.cust.tele2.at ([86.32.49.49]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Dec 2015 16:47:21 +0100 Received: from r by d86-32-49-49.cust.tele2.at with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Dec 2015 16:47:21 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: rhi Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Date: Fri, 18 Dec 2015 15:47:15 +0000 (UTC) Lines: 22 Message-ID: References: <5673FB3B.2010201@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 86.32.49.49 (Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 15:47:25 -0000 Matthew Seaman freebsd.org> writes: > Is that the ports or the base version of openssl? I can recreate your > results with the base openssl, but everything works as expected with the > ports version: Yes, it's the base OpenSSL. Is this a known limitation or a bug in the base OpenSSL or do I use it wrongly? Until now, I have avoided installing the OpenSSL port because the base OpenSSL gets security updates via freebsd-update and so it's one thing less to care about... also, I don't like the idea of having two different versions of the same thing on the system (because some applications might use the one versions, others the second one, and then it's quite difficult to find the bugs). Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL is only used for the system itself? And thanks for your help! I wouldn't have had the idea that base OpenSSL vs. port OpenSSL could be the cause of the problem. From owner-freebsd-security@freebsd.org Fri Dec 18 16:30:00 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35E04A4C28C for ; Fri, 18 Dec 2015 16:30:00 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 02B0D149D for ; Fri, 18 Dec 2015 16:29:59 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 1F026EE91; Fri, 18 Dec 2015 16:29:58 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id D67ED4A711; Fri, 18 Dec 2015 17:29:54 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: rhi Cc: freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default References: Date: Fri, 18 Dec 2015 17:29:54 +0100 In-Reply-To: (rhi's message of "Fri, 18 Dec 2015 11:41:35 +0000 (UTC)") Message-ID: <864mffhg8t.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 16:30:00 -0000 rhi writes: > When I do openssl s_client -showcerts -host my.server -port 443, I get > "Verify return code: 20 (unable to get local issuer certificate)", i.e. t= he > certificate can't be verified. It works on 10.2. I'm not sure at what point it changed. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Dec 18 16:37:43 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62F57A4C8D7 for ; Fri, 18 Dec 2015 16:37:43 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E29681155 for ; Fri, 18 Dec 2015 16:37:42 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from host-4-75.office.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id tBIGbbCq050493 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 18 Dec 2015 16:37:38 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk tBIGbbCq050493 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1450456658; bh=Gp/OgG6U6cRWPTzne35t3habGbgICHuLGLssbkNLXnI=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20[OpenSSL]=20/etc/ssl/cert.pem=20not=20honoured=2 0by=20default|To:=20freebsd-security@freebsd.org|References:=20=0D=0A=20<5673FB3B.2010201@f reebsd.org>=20|From:=20Ma tthew=20Seaman=20|Date:=20Fri,=20 18=20Dec=202015=2016:37:30=20+0000|In-Reply-To:=20; b=SHSgkp84Jx7CZ47tG4UyQRYTKae/50v9cDuTq5RYiw9wFAW5HHXBo9UQXrl09qnY+ leOdFefDFBBwr0+ibfcDDNri1HlaFROjIXorqpSyYoDxto5FHQW/AFAX2aVqgWikT3 Gy1nXkL6ZvRr6ovWbQXQmFBekSfZ92xQxIjbcJcA= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be host-4-75.office.adestra.com Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default To: freebsd-security@freebsd.org References: <5673FB3B.2010201@freebsd.org> From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <5674364A.7090600@infracaninophile.co.uk> Date: Fri, 18 Dec 2015 16:37:30 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 16:37:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/12/18 15:47, rhi wrote: > Matthew Seaman freebsd.org> writes: >=20 >> Is that the ports or the base version of openssl? I can recreate your= >> results with the base openssl, but everything works as expected with t= he >> ports version: >=20 > Yes, it's the base OpenSSL. Is this a known limitation or a bug in the = base > OpenSSL or do I use it wrongly? >=20 > Until now, I have avoided installing the OpenSSL port because the base > OpenSSL gets security updates via freebsd-update and so it's one thing = less > to care about... also, I don't like the idea of having two different > versions of the same thing on the system (because some applications mig= ht > use the one versions, others the second one, and then it's quite diffic= ult > to find the bugs). >=20 > Or is it recommended to let ports use the port OpenSSL, so that base Op= enSSL > is only used for the system itself? >=20 > And thanks for your help! I wouldn't have had the idea that base OpenSS= L vs. > port OpenSSL could be the cause of the problem. The default at the moment is to use the base system openssl, but there's no particular recommendation over choosing that rather than using the ports openssl. There are plans to make many of the base system shlibs private and that includes switching the ports to use openssl from ports, but I don't think any changes along those lines are really imminent. I don't know if the base system not reading /etc/ssl/certs.pem is by design or not. I can't see any advantage of not reading it though. While you will get security updates via freebsd-update for stuff in the base, you'll equally get security updates for ports via pkg(8) -- evn if you're building your own, you can still get alerts via 'pkg audit' and in fact, you're likely to be more exposed to security problems through ported software than you are through the base system. So updating your ports is at least as important, and probably more important, than updating the OS. Cheers, Matthew --GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWdDZRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnI80P/iujEae+pMY4HYKalM86NljI /WmJvKRcXPpgZLPgh2FSsNeq9gIthZyQqQ7HgcxFa8ig23p9xoTOMeKfnv7AIyhX wrVZQ4ggKAYwYTJghbcp2C+eAV21xdiK8h7Fme6ETVcIgPQ3BKY/AHbhCAoHRRO+ Q9xtnqHSO/dMj1+n5Lbu9dgf1TRo3Dl+3fX262df7u6hBp7bDa/UFih2l0ppFC9N LNzRSj+v9eB4BAWtBNdM7PaaVF3va9rjN9F7WuUBmV2Vzgr5sMttNboFnc5ghhZs QnsrLimgkC6YF8XV/V1gC7UecaYujn/o2eyHG+UN4/yPQINXgRvFNwdBB12cI9bo kMrGNml6wAz+s252DeO30eV616Kvz1iSxgz9LgW86FwLtYbUQ2Sx2A037zPS4L/d TJ7xMZrOVUv6ACrQR8RO3GLOau2wUfCdBNEE4wr/tvWSzkuCqb7/UTIjdvtDk/gb u9DDq1fUZnR/Gl7JYwUj9FbKHFVjNGZfjJTtn4XcIjY2dWPgt6mv2EGzIBhPOPGP rG6XxzTfFPAXbl7JSkMYdwzeyNob4Sb3jeEY4+4WC34QbskT9cD9Lgl4O5POJq3I RyPBSnxkA2VmAOr+icPyZqwVh7bb0pGmDgMFBzIwTiyP0x2aZBPoYwGlQ/qfHUVV Frytho8aXttu9FyLV1qk =kbL0 -----END PGP SIGNATURE----- --GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5-- From owner-freebsd-security@freebsd.org Fri Dec 18 16:55:23 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF4F9A4B43C for ; Fri, 18 Dec 2015 16:55:23 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8E5A310C9 for ; Fri, 18 Dec 2015 16:55:23 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id tBIGtIWS070300 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Fri, 18 Dec 2015 17:55:20 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default To: freebsd-security References: <5673FB3B.2010201@freebsd.org> From: Dan Lukes Message-ID: <56743A77.4080001@obluda.cz> Date: Fri, 18 Dec 2015 17:55:19 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 16:55:24 -0000 On 18.12.2015 16:47, rhi wrote: > Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL > is only used for the system itself? On 9.x-R (still considered supported version) the base's OpenSSL is so old for today's SSL server. The best TLS version supported is 1.0 which is considered unacceptable old for some recent SSH clients. You have almost no choice but port's OpenSSL (if you wish to provide a SSL server, of course) here. Dan From owner-freebsd-security@freebsd.org Fri Dec 18 22:26:24 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36929A4C5BA for ; Fri, 18 Dec 2015 22:26:24 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D54D1E39 for ; Fri, 18 Dec 2015 22:26:23 +0000 (UTC) (envelope-from marquis@roble.com) Date: Fri, 18 Dec 2015 14:21:04 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default In-Reply-To: <5674364A.7090600@infracaninophile.co.uk> References: <5673FB3B.2010201@freebsd.org> <5674364A.7090600@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 22:26:24 -0000 rhi wrote: >> Until now, I have avoided installing the OpenSSL port because the base >> OpenSSL gets security updates via freebsd-update and so it's one thing less >> to care about... also, I don't like the idea of having two different >> versions of the same thing on the system A fair number of sites have this issue, particularly with ssl and ssh binaries. IME this one of FreeBSD's more longstanding administrative and security weaknesses. It is paricularly painful for those of us who have to support a release for several years (after the last base update). >> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL >> is only used for the system itself? If you need the most recent ciphers and protocols you'll normally need to use the port. Features are backported from the (higher) port version to the base version i.e., without bumping the version string, however, it's not clear whether all applications can take advantage of them. Matthew Seaman wrote: > There are plans to make many of the base system shlibs private and that > includes switching the ports to use openssl from ports, but I don't think > any changes along those lines are really imminent. Are you Sure? 3 months ago DES thought they'd be ready for 11: > The plan is for 11 to have a fully packaged base system. There should > be some information in developer summit reports on the wiki. The code > is in projects/release-pkg. However I don't see a projects/release-pkg dir in -CURRENT. Any recommendations as to how we might help this particular effort? Roger From owner-freebsd-security@freebsd.org Sat Dec 19 08:14:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CA5DA4CB86 for ; Sat, 19 Dec 2015 08:14:31 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 116591BE0 for ; Sat, 19 Dec 2015 08:14:30 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1aACeo-0005u0-OK for freebsd-security@freebsd.org; Sat, 19 Dec 2015 09:14:26 +0100 Received: from d86-32-49-49.cust.tele2.at ([86.32.49.49]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 19 Dec 2015 09:14:26 +0100 Received: from r by d86-32-49-49.cust.tele2.at with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 19 Dec 2015 09:14:26 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: rhi Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Date: Sat, 19 Dec 2015 08:14:19 +0000 (UTC) Lines: 8 Message-ID: References: <864mffhg8t.fsf@desk.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 86.32.49.49 (Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2015 08:14:31 -0000 Hello, > It works on 10.2. I'm not sure at what point it changed. I have upgraded to FreeBSD 10.2 and it seems to work now (with base OpenSSL, i.e. no port)... Thanks for your help.