From owner-freebsd-security@freebsd.org Fri Dec 18 12:00:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 480F9A4B520 for ; Fri, 18 Dec 2015 12:00:17 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FBE01A12 for ; Fri, 18 Dec 2015 12:00:16 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1a9thc-00087d-S1 for freebsd-security@freebsd.org; Fri, 18 Dec 2015 13:00:04 +0100 Received: from d86-32-49-49.cust.tele2.at ([86.32.49.49]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Dec 2015 13:00:04 +0100 Received: from r by d86-32-49-49.cust.tele2.at with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Dec 2015 13:00:04 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: rhi Subject: [OpenSSL] /etc/ssl/cert.pem not honoured by default Date: Fri, 18 Dec 2015 11:41:35 +0000 (UTC) Lines: 27 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 86.32.49.49 (Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 12:00:17 -0000 Hello, I have a FreeBSD 10.1 installation with security/ca_root_nss installed (with ETCSYMLINK). /etc/make.conf contains WITH_OPENSSL_BASE="YES", the port (security/openssl) is not installed. /etc/ssl/cert.pem points to /usr/local/share/certs/ca-root-nss.crt, which contains the CA certificates as expected. When I do openssl s_client -showcerts -host my.server -port 443, I get "Verify return code: 20 (unable to get local issuer certificate)", i.e. the certificate can't be verified. The same command with -CAfile openssl s_client -CAfile /etc/ssl/cert.pem -showcerts -host my.server -port 443 works ("Verify return code: 0 (ok)"). Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I get OpenSSL to use it by default? The problem is that net-im/ejabberd uses the default OpenSSL verification (when certificate verification is activated), and as far as I know, there's no possibility to specify an extra CAfile. This means that I can't use certificate validation with XMPP, which is not good... Do you have an idea?