From owner-freebsd-security@FreeBSD.ORG Sat Apr 2 03:39:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22957106564A for ; Sat, 2 Apr 2011 03:39:50 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from fw.ax.cz (unknown [IPv6:2a00:1aa8:1:1000::2]) by mx1.freebsd.org (Postfix) with ESMTP id A436A8FC19 for ; Sat, 2 Apr 2011 03:39:49 +0000 (UTC) Received: from [127.0.0.1] (fw.ax.cz [77.240.99.126]) by fw.ax.cz (8.14.4/8.14.3) with ESMTP id p323dksH009618; Sat, 2 Apr 2011 05:39:47 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4D969A1E.80202@obluda.cz> Date: Sat, 02 Apr 2011 05:38:06 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110320 SeaMonkey/2.0.13 MIME-Version: 1.0 To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 110401-2, 01.04.2011), Outbound message X-Antivirus-Status: Clean Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2011 03:39:50 -0000 István wrote: > well i would argue with that, on Linux it was possible to validate the certs > what X company is using, on FreeBSD it was not. Just for completeness: ============================= uname -a Linux u-pl1 2.6.32-vs2.3.0.36.28-gentoo-amd64 #1 SMP PREEMPT Tue Feb 22 12:08:19 CET 2011 i686 Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz GenuineIntel GNU/Linux openssl s_client -connect 72.21.203.148:443 CONNECTED(00000003) ... verify error:num=20:unable to get local issuer certificate verify return:0 ============================== and Windows XP SP3, not surprisingly: ============================== > C:\>openssl s_client -connect 72.21.203.148:443 > Loading 'screen' into random state - done > CONNECTED(00000784) > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at http > s://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 > verify error:num=20:unable to get local issuer certificate ============================== This issue is definitely NOT about "operating system A has different behavior than operating system B". It's all about proper configuration of such system and proper usage of openssl utility. If Istvan will configure it's system the same way as the Linux (where it work) is configured (e.g. if he install apropriate list of trusted CA's and confure openssl to use it), then his problem will evaporate also. But if he is not interested in verification of connection's certificate, then he can ignore the warning at all. Dan