Date: Mon, 16 Aug 2010 07:00:30 -0700 (PDT) From: Dan Strick <mla_strick@att.net> To: freebsd-questions@freebsd.org Cc: mla@mist.nodomain Subject: Re: fetchmail ssl certificate verification problem in FreeBSD 8.1 Message-ID: <201008161400.o7GE0UKZ002705@mist.nodomain>
next in thread | raw e-mail | index | archive | help
On Mon, 16 Aug 2010 01:57, RW wrote: > You'd be better off installing security/ca_root_nss otherwise you'll be > stuck with a stale file. > > I don't know why you don't have it, it's a dependency of fetchmail and > many other ports. I had it but I didn't know it. I did discover the file it installed, /usr/local/share/certs/ca-root-nss.crt, and started to use it for fetchmail in place of the file from my old FreeBSD system. After I read the above note from RW I figured out it referred to a port, that I had the port, that it was a dependency of fetchmail and had been installed and was probably the source of the file /usr/local/share/certs/ca-root-nss.crt. Erik Norgaard also mentioned the port but I didn't understand at the time that he was referring to a port. He also mentioned the file /usr/src/crypto/openssl/FAQ which very briefly discusses the issue and mentions http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html which describes a mechanism for constructing a root certificate bundle from some obscure data file apparently produced by the Mozilla project, but of course I lacked the background to understand these things at the time. I still don't understand them very well. The relevant user options in my .fetchmailrc file are now: ssl sslproto SSL3 sslcertck sslcertfile /usr/local/share/certs/ca-root-nss.crt sslfingerprint "..." Perhaps since fetchmail installs ca_root_nss as a dependency it should also default to using the installed ca root bundle file. Perhaps the fetchmail port should have produced an installation message that mentioned these things. Perhaps the port should patch the fetchmail man page to suggest using this file with the sslcertfile option. I have looked very very hard for documentation on this stuff in an obvious place but have not found any. Where should I have looked? Thanks, Dan Strick mla_strick at att.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008161400.o7GE0UKZ002705>