Date: Sat, 02 Apr 2011 05:38:06 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <4D969A1E.80202@obluda.cz> In-Reply-To: <AANLkTi=17e7qE8yAACKiYSvpvsUZhDJu4e=mmM%2BhHwr8@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <20110401153300.GA85392@guilt.hydra> <AANLkTi=fqSAMiGtGQO1%2Bt1QbhNY1m_S%2Bx294WX3zHpOK@mail.gmail.com> <4D9639B0.1070302@FreeBSD.org> <AANLkTi=17e7qE8yAACKiYSvpvsUZhDJu4e=mmM%2BhHwr8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
István wrote: > well i would argue with that, on Linux it was possible to validate the certs > what X company is using, on FreeBSD it was not. Just for completeness: ============================= uname -a Linux u-pl1 2.6.32-vs2.3.0.36.28-gentoo-amd64 #1 SMP PREEMPT Tue Feb 22 12:08:19 CET 2011 i686 Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz GenuineIntel GNU/Linux openssl s_client -connect 72.21.203.148:443 CONNECTED(00000003) ... verify error:num=20:unable to get local issuer certificate verify return:0 ============================== and Windows XP SP3, not surprisingly: ============================== > C:\>openssl s_client -connect 72.21.203.148:443 > Loading 'screen' into random state - done > CONNECTED(00000784) > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at http > s://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 > verify error:num=20:unable to get local issuer certificate ============================== This issue is definitely NOT about "operating system A has different behavior than operating system B". It's all about proper configuration of such system and proper usage of openssl utility. If Istvan will configure it's system the same way as the Linux (where it work) is configured (e.g. if he install apropriate list of trusted CA's and confure openssl to use it), then his problem will evaporate also. But if he is not interested in verification of connection's certificate, then he can ignore the warning at all. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D969A1E.80202>