Date: Fri, 18 Dec 2015 11:41:35 +0000 (UTC) From: rhi <r@hirner.at> To: freebsd-security@freebsd.org Subject: [OpenSSL] /etc/ssl/cert.pem not honoured by default Message-ID: <loom.20151218T123930-865@post.gmane.org>
next in thread | raw e-mail | index | archive | help
Hello,
I have a FreeBSD 10.1 installation with security/ca_root_nss installed (with
ETCSYMLINK).
/etc/make.conf contains WITH_OPENSSL_BASE="YES", the port (security/openssl)
is not installed.
/etc/ssl/cert.pem points to /usr/local/share/certs/ca-root-nss.crt, which
contains the CA certificates as expected.
When I do openssl s_client -showcerts -host my.server -port 443, I get
"Verify return code: 20 (unable to get local issuer certificate)", i.e. the
certificate can't be verified.
The same command with -CAfile openssl s_client -CAfile /etc/ssl/cert.pem
-showcerts -host my.server -port 443 works ("Verify return code: 0 (ok)").
Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I
get OpenSSL to use it by default?
The problem is that net-im/ejabberd uses the default OpenSSL verification
(when certificate verification is activated), and as far as I know, there's
no possibility to specify an extra CAfile. This means that I can't use
certificate validation with XMPP, which is not good...
Do you have an idea?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?loom.20151218T123930-865>