From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 22:49:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 771A7106566C for ; Fri, 1 Apr 2011 22:49:34 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id 2EE5D8FC15 for ; Fri, 1 Apr 2011 22:49:33 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.4/8.14.4) with ESMTP id p31FGYlT074056; Fri, 1 Apr 2011 10:16:34 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.4/8.14.4/Submit) id p31FGXdL074055; Fri, 1 Apr 2011 10:16:33 -0500 (CDT) (envelope-from brooks) Date: Fri, 1 Apr 2011 10:16:33 -0500 From: Brooks Davis To: Robert Simmons Message-ID: <20110401151633.GK63248@lor.one-eyed-alien.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QnBU6tTI9sljzm9u" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (lor.one-eyed-alien.net [127.0.0.1]); Fri, 01 Apr 2011 10:16:34 -0500 (CDT) X-Mailman-Approved-At: Sat, 02 Apr 2011 05:49:07 +0000 Cc: freebsd-security , Istv?n Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 22:49:34 -0000 --QnBU6tTI9sljzm9u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 12:33:30PM -0400, Robert Simmons wrote: > Now, you are also not satisfied with the CA bundle in the ports > collection because it does not contain the CA that you need. I'm not > sure which one it is that you need. But a good place to start is > here: > http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html >=20 > That contains a perl script for extracting the CA bundle from > Mozilla's CVS. At first glance, it may frustrate you, because it may > not be obvoius where it connects to (that info is obscured). However, > look at the following help file. It has all the connection details > for mozilla's cvsroot that you will need. Just substitute the > "anonymous@cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the > script. > https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS The point of security/ca_root_nss is that it is exactly the set of certs trusted by Mozilla (via the nss library) via the mechanism described above. The FreeBSD Project makes no warranty that it is a good set to trust. It just happens to be a set that is widely trusted. > If you are not satisfied with Mozilla's bundle, you can find google > Chrome's list here somewhere: > http://src.chromium.org/viewvc/chrome/ We might actually want to maintain a port of those as well if they differ in any meaningful way. -- Brooks --QnBU6tTI9sljzm9u Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFNlexRXY6L6fI4GtQRAhCBAJ4jVef5atjnoa5gHgDGkc58BlbmYgCgzQeO BAPjVronqoFJ0TGLjluq+p4= =LPuT -----END PGP SIGNATURE----- --QnBU6tTI9sljzm9u--