From owner-freebsd-net@FreeBSD.ORG Mon Nov 10 23:28:58 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DD4F3C94 for ; Mon, 10 Nov 2014 23:28:57 +0000 (UTC) Received: from mx2.shrew.net (mx2.shrew.net [38.97.5.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A360FC7E for ; Mon, 10 Nov 2014 23:28:56 +0000 (UTC) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx2.shrew.net (8.14.7/8.14.7) with ESMTP id sAANRqQ7080667 for ; Mon, 10 Nov 2014 17:27:52 -0600 (CST) (envelope-from mgrooms@shrew.net) Received: from [10.16.32.30] (72-48-144-84.static.grandenetworks.net [72.48.144.84]) by mail.shrew.net (Postfix) with ESMTPSA id 1F60A188003 for ; Mon, 10 Nov 2014 17:27:41 -0600 (CST) Message-ID: <54614A31.8030209@shrew.net> Date: Mon, 10 Nov 2014 17:28:49 -0600 From: Matthew Grooms User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: SSL certificate check error ... References: <54611DD9.2060107@shrew.net> In-Reply-To: <54611DD9.2060107@shrew.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (mx2.shrew.net [10.24.10.11]); Mon, 10 Nov 2014 17:27:52 -0600 (CST) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2014 23:28:58 -0000 Ok, I feel a little silly. These commands do not work without the CAfile specified on freebsd 8.x or 9.x either. Sorry for the noise. -Matthew On 11/10/2014 2:19 PM, Matthew Grooms wrote: > All, > > I am seeing a problem with certificate checking on several stock FreeBSD > 10.0-RELEASE-p12 hosts using the base openssl. The ca_root_nss-3.17.2 > package is installed with the option to create the symlink in /etc/ssl > enabled ... > > # ls -la /etc/ssl > total 20 > drwxr-xr-x 2 root wheel 512 Nov 10 13:25 . > drwxr-xr-x 21 root wheel 2048 Oct 28 23:45 .. > lrwxr-xr-x 1 root wheel 38 Nov 10 13:24 cert.pem -> > /usr/local/share/certs/ca-root-nss.crt > -rw-r--r-- 1 root wheel 10929 Jan 16 2014 openssl.cnf > > When I try to run s_client as a test to www.google.com, I see "Verify > return code: 20 (unable to get local issuer certificate)" ... > > # openssl s_client -connect www.google.com:443 > CONNECTED(00000003) > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw > WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 > Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR > OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd > 1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6 > lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu > A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1 > Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym > pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI > KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE > XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 > MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G > A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud > IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW > eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB > RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew > mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8 > ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K > gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH > 6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG > TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2 > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 > --- > No client certificate CA names sent > --- > SSL handshake has read 3719 bytes and written 435 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: > 9890FB78A01C235769387820574E847C0F76E80DBDC867D6EC5D4422B944E956 > Session-ID-ctx: > Master-Key: > 86B4E5CBDC553D8740C462194E9244870D2468C8A736097CD467EF7461EE0ACF3D96C581EF6F68AF62218B451BBA03D7 > > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 100800 (seconds) > TLS session ticket: > 0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02 > ...k...\..D^.... > 0010 - 3b b3 56 cf 98 b5 72 4f-82 fe 6a 7a 44 2f b7 24 > ;.V...rO..jzD/.$ > 0020 - 7c 23 57 f9 36 94 d6 83-54 21 dc 10 a2 df ac 43 > |#W.6...T!.....C > 0030 - 1b 8b b0 9e b3 b0 d8 e8-7a 0a d0 b2 55 8e 96 0d > ........z...U... > 0040 - 3c ff d2 af 65 ea c7 69-1b a4 bb 04 f2 73 c2 a8 > <...e..i.....s.. > 0050 - 6c b9 0d 54 cb 50 f2 5e-fc a8 0a 5a ec 4d 10 c6 > l..T.P.^...Z.M.. > 0060 - 34 f1 3b cb 14 96 f8 0f-1d 75 bd c6 56 61 73 64 > 4.;......u..Vasd > 0070 - 98 55 c5 24 18 43 e7 58-cc 2f 50 35 03 14 de c5 > .U.$.C.X./P5.... > 0080 - d7 12 5b 58 6d 6e 6f 7c-61 78 40 1a 02 66 31 94 > ..[Xmno|ax@..f1. > 0090 - 6d a0 fb 7c 36 aa 4c d2-38 9c dd 89 f9 5c 4a 62 > m..|6.L.8....\Jb > 00a0 - f6 f7 e0 24 ...$ > > Start Time: 1415648696 > Timeout : 300 (sec) > Verify return code: 20 (unable to get local issuer certificate) > --- > > ... but when I explicitly specify the path to /etc/ssl/cert.pem, it > works fine ... > > # openssl s_client -CApath /etc/ssl/cert.pem -connect www.google.com:443 > CONNECTED(00000003) > depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority > verify return:1 > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify return:1 > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 > verify return:1 > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = > www.google.com > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw > WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 > Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR > OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd > 1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6 > lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu > A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1 > Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym > pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI > KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE > XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 > MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G > A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud > IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW > eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB > RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew > mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8 > ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K > gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH > 6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG > TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2 > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 > --- > No client certificate CA names sent > --- > SSL handshake has read 3719 bytes and written 435 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: > 9DD76F7AC8D34085E2B230CA02B955D3A35482C5AD983CD43A0AF65EDDF0905B > Session-ID-ctx: > Master-Key: > FCF5D6AB32816ABD660AB744386531308C3F3203BBB61EB8273A5783DDE92B04C87ADA3DB12C87092BB7BE21CFAD3CCA > > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 100800 (seconds) > TLS session ticket: > 0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02 > ...k...\..D^.... > 0010 - 63 64 66 84 cd c8 07 dc-69 64 6f ff 69 05 99 a0 > cdf.....ido.i... > 0020 - f4 d7 00 1a 3c 36 41 61-70 5b b4 79 2c 45 c1 3b > ....<6Aap[.y,E.; > 0030 - 6d 5e 13 77 09 3f f8 35-f5 e4 92 ae ce c8 f9 7b > m^.w.?.5.......{ > 0040 - ca 6e 49 94 cd 19 51 89-a3 f4 32 64 a6 a5 27 66 > .nI...Q...2d..'f > 0050 - 96 d1 f0 c6 7b a6 07 20-7b 35 d9 0b f7 f1 8c a5 ....{.. > {5...... > 0060 - e7 58 1d 0c b3 86 12 d6-86 49 4c 7d 31 c5 1a b6 > .X.......IL}1... > 0070 - 3f 7a 8a b5 e5 da 63 a3-f2 2b ee f3 ae 20 3d 1a > ?z....c..+... =. > 0080 - fd d7 d7 af f8 db 11 73-eb 3a 9b cb 41 a9 be 5c > .......s.:..A..\ > 0090 - ec cc 65 1f 3c 13 a7 57-92 a5 cc d9 39 05 41 9d > ..e.<..W....9.A. > 00a0 - 9c 3f 94 d8 .?.. > > Start Time: 1415648909 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > Also, if I run the commands under truss I see that the file > /etc/ssl/cert.pem is not being opened when I do not specify the option > on the command line ... > > # truss openssl s_client -connect www.google.com:443 > ... > open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or > directory' > open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or > directory' > open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3) > fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0 > (0x0) > read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1) > read(3,0x80186e000,32768) = 0 (0x0) > close(3) = 0 (0x0) > sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t > }) = 0 (0x0) > issetugid(0x7fffffffd2c0,0xc8,0x1,0x7fffffffd538,0x0,0x800c82648) = 0 (0x0) > issetugid(0x7fffffffdf5a,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0) > stat("/root/.rnd",0x7fffffffce08) ERR#2 'No such file or > directory' > getpid() = 16324 (0x3fc4) > __sysctl(0x7fffffffd1c8,0x2,0x7fffffffd128,0x7fffffffd1c0,0x0,0x0) = 0 > (0x0) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > getpid() = 16324 (0x3fc4) > issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0) > open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3) > fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0) > read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23) > read(3,0x8018b3000,32768) = 0 (0x0) > close(3) = 0 (0x0) > issetugid(0x0,0x8018009c0,0x14,0x3,0x7fffffffc2b0,0x801801068) = 0 (0x0) > stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- > ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0) > open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3) > ioctl(3,TIOCGETA,0xffffca80) ERR#25 'Inappropriate > ioctl for device' > fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 > (0x0) > read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144) > read(3,0x8018b3000,32768) = 0 (0x0) > > ... and it is being opened when I do specify the option on the command > line ... > > # truss openssl s_client -CApath /etc/ssl/cert.pem -connect > www.google.com:443 > ... > open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or > directory' > open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or > directory' > open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3) > fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0 > (0x0) > read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1) > read(3,0x80186e000,32768) = 0 (0x0) > close(3) = 0 (0x0) > sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t > }) = 0 (0x0) > issetugid(0x7fffffffd290,0xc8,0x1,0x7fffffffd508,0x0,0x800c82648) = 0 (0x0) > issetugid(0x7fffffffdf5c,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0) > stat("/root/.rnd",0x7fffffffcdd8) ERR#2 'No such file or > directory' > getpid() = 16371 (0x3ff3) > __sysctl(0x7fffffffd198,0x2,0x7fffffffd0f8,0x7fffffffd190,0x0,0x0) = 0 > (0x0) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > getpid() = 16371 (0x3ff3) > open("/etc/ssl/cert.pem",O_RDONLY,0666) = 3 (0x3) > fstat(3,{ mode=-rw-r--r-- ,inode=1052618,size=908574,blksize=32768 }) = > 0 (0x0) > read(3,"##\n## ca-root-nss.crt -- Bundl"...,32768) = 32768 (0x8000) > madvise(0x80186a000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x8018a1000,0x4000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x8018ac000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x8018bc000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x8018cd000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x8018df000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x801900000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) > = 0 (0x0) > madvise(0x801875000,0x1000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10) > = 0 (0x0) > madvise(0x801887000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10) > = 0 (0x0) > read(3," 42:68:ac:a0:bd:4e:5a:da:18:bf:6"...,32768) = 32768 (0x8000) > read(3,":9a:9b:bb:\n "...,32768) = 32768 (0x8000) > read(3," 17:7d:a0:f9:b4:dd:c5:c5:eb"...,32768) = 32768 (0x8000) > madvise(0x8018ba000,0x6000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) > = 0 (0x0) > madvise(0x8018f1000,0xc000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) > = 0 (0x0) > madvise(0x80190e000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) > = 0 (0x0) > madvise(0x801921000,0x5000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) > = 0 (0x0) > madvise(0x801936000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) > = 0 (0x0) > read(3,"c Constraints: critical\n "...,32768) = 32768 (0x8000) > read(3,"DYu5Def131TN3ubY1gkIl2PlwS6w\nt0"...,32768) = 32768 (0x8000) > read(3,"\nxvbxrN8y8NmBGuScvfaAFPDRLLmF9d"...,32768) = 32768 (0x8000) > read(3,"f:1f:31:9c:\n "...,32768) = 32768 (0x8000) > read(3,"igiCert Inc, OU=www.digicert.com"...,32768) = 32768 (0x8000) > read(3,"93:36:85:23:88:8a:3c:03:68:d3:c9"...,32768) = 32768 (0x8000) > read(3,"orzAzu8T2bgmmkTPiab+ci2hC6X5L8GC"...,32768) = 32768 (0x8000) > read(3,"2zsmWLIodz2uFHdh\n1voqZiegDfqnc1"...,32768) = 32768 (0x8000) > read(3,"hUNfBvitbtaSeodlyWL0AG0y/YckUHUW"...,32768) = 32768 (0x8000) > read(3," CA:TRUE\n Signatu"...,32768) = 32768 (0x8000) > read(3,":22:d7:8b:0b:\n "...,32768) = 32768 (0x8000) > read(3," 6b:53:7f:db:df:df:f3:71:3d:26:"...,32768) = 32768 (0x8000) > read(3,"f:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:"...,32768) = 32768 (0x8000) > read(3,":57:d2:b0:0a:\n "...,32768) = 32768 (0x8000) > read(3," X509v3 CRL Distribution Po"...,32768) = 32768 (0x8000) > read(3,"60:45:f2:31:eb:a9:31:\n "...,32768) = 32768 (0x8000) > read(3,"4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQ"...,32768) = 32768 (0x8000) > read(3,"9:28:a7:\n 2e"...,32768) = 32768 (0x8000) > read(3,"A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/"...,32768) = 32768 (0x8000) > read(3,"4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3G"...,32768) = 32768 (0x8000) > read(3,"QUFADCBvjE/MD0GA1UEAww2VMOc\nUkt"...,32768) = 32768 (0x8000) > read(3,"dq6hw2v+vPhwvCkxWeM\n1tZUOt4KpLo"...,32768) = 32768 (0x8000) > read(3," Exponent: 65537 (0x10001"...,32768) = 32768 (0x8000) > read(3,":35:88:67:74:57:e3:df:8c:b8:a7:7"...,32768) = 23838 (0x5d1e) > read(3,0x801899000,32768) = 0 (0x0) > close(3) = 0 (0x0) > getpid() = 16371 (0x3ff3) > issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0) > open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3) > fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0) > read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23) > read(3,0x801931000,32768) = 0 (0x0) > close(3) = 0 (0x0) > issetugid(0x0,0x801801cf8,0x33,0x3,0x7fffffffc280,0x801801c38) = 0 (0x0) > stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- > ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0) > open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3) > ioctl(3,TIOCGETA,0xffffca50) ERR#25 'Inappropriate > ioctl for device' > fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 > (0x0) > read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144) > read(3,0x801931000,32768) = 0 (0x0) > > This is the only copy of openssl on my system ... > > # whereis openssl > openssl: /usr/bin/openssl /usr/share/openssl/man/man1/openssl.1.gz > > Did something change with the FreeBSD 10 configuration of OpenSSL? At > first I thought it was a problem with this particular host, but I've > been able to reproduce the problem on 3 different 10.x hosts I've tested > so far. I don't see how an unmodified program will pickup the default > system CA file unless that problem has an option to explicitly hand in > the path. Was this intended? > > Thanks in advance, > > -Matthew > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"