From owner-freebsd-questions@FreeBSD.ORG Mon Mar 9 16:28:16 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D8A2844 for ; Mon, 9 Mar 2015 16:28:16 +0000 (UTC) Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA86DE7 for ; Mon, 9 Mar 2015 16:28:15 +0000 (UTC) Received: by wiwh11 with SMTP id h11so12269047wiw.5 for ; Mon, 09 Mar 2015 09:28:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=82ElmRbZ9QnDoEQt1DHxHXkYrDXykthKiPT0ZGrpVVI=; b=GB0hepIjvZ1QsEoh7BJXQ54VPMg8hFVXbJo++VQpwp2Tc6jnvM9mAuu5DQoDxB8Dur r0x8a1EQq+eEylWhAoFoilIsbPlWhl9P5gfOLf8HZ5C93jvmqJmbKID8j9feQPxAR83q jO6C/IM23mIKqX2Zku0MkMhobQhyvDyPHft1TAYhREKmI1cMzA58WMhPuEgpHt/P0JPE amgSczS1COewtufiJ2vo4VmlUwNQPhOG1qhWTg3fhs0ddsO+DK+Q0ZCCwOkKOWEJCG7W A6W8fL2CAjJdTywkqpO/J2DLWPeTonwDxw6xND2g2pkYZ9fpjX0kOeWQipn6O0cuHgJk 23eQ== X-Received: by 10.194.61.161 with SMTP id q1mr60958251wjr.132.1425918493579; Mon, 09 Mar 2015 09:28:13 -0700 (PDT) Received: from ?IPv6:2001:a60:16c5:5201:4c62:78b1:2770:4fec? ([2001:a60:16c5:5201:4c62:78b1:2770:4fec]) by mx.google.com with ESMTPSA id ub1sm28914249wjc.43.2015.03.09.09.28.12 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Mar 2015 09:28:12 -0700 (PDT) From: Florian Heigl Message-Id: <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: Adding a root CA cert on FreeBSD10 Date: Mon, 9 Mar 2015 17:28:10 +0100 References: To: krad , FreeBSD Questions In-Reply-To: X-Mailer: Apple Mail (2.1878.6) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2015 16:28:16 -0000 Hi, thank you a lot! I=92ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0=20 Do you know / understand the preference between the different = directories on FreeBSD? I very much like using /etc/ssl/certs but since we also have the = /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I = really wonder what the =93right=94 path would be. Anyone? Florian On 09.03.2015, at 15:12, krad wrote: > I got mine working fine when i built a transparent ssl proxy. I had to = put all the root certs into /etc/ssl/certs >=20 > The filenames had to be a the hash of the cert though. This can be = generated via the following command >=20 > openssl x509 -noout -hash -in >=20 > eg >=20 > # openssl x509 -noout -hash -in some_cert > 0810bc98 > # mv some_cert /etc/ssl/certs/0810bc98.o >=20 >=20 > On 8 March 2015 at 18:26, Florian Heigl = wrote: > Hi, >=20 > I'm trying to identify how and where to add a trusted root certificate = in > FreeBSD10. >=20 > Doing so used to be dead easy on FreeBSD until now, just drop them in > /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. > This seems to be no longer true? >=20 > I'm working with CACert or "private" CAs in many cases, so this is a > standard thing. Right now I'm pulling my hair how to make it work in > FreeBSD 10. >=20 > What I want: > - openssl s_client -connect to work >=20 > I'm aware different tools are using different methods, but i.e. curl = on > many OS is tamed to respect the openssl CAs so I figure once openssl = is > happy it should be all good. > But OpenSSL ain't happy: >=20 >=20 > # openssl s_client -connect demoserver:443 | grep -i -e issuer -e = verify > depth=3D1 O =3D Root CA, OU =3D http://www.cacert.org, CN =3D CA Cert = Signing > Authority, emailAddress =3D support@cacert.org > verify error:num=3D19:self signed certificate in certificate chain > verify return:0 > issuer=3D/O=3DRoot CA/OU=3Dhttp://www.cacert.org/CN=3DCA Cert Signing > Authority/emailAddress=3Dsupport@cacert.org > Verify return code: 19 (self signed certificate in certificate = chain) >=20 > I've put the CACert certificates in the following places, to no avail: >=20 > /etc/ssl/certs/cacert-class3.crt > /etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-class3.crt > /usr/local/etc/ssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-root.crt > /usr/local/etc/openssl/certs/cacert-class3.crt > /usr/local/etc/openssl/certs/cacert-root.crt >=20 > I've not tried to patch them into the OS-side CA bundles > like ca_root_nss-3.17.4_1. That would be utterly stupid since they = would be > lost on update of the package. >=20 > Is there any documentation regarding certs that is _working_ on = FreeBSD10? > I'm so far still inclined the error is on my side, but without current > documentation it's hard to tell. >=20 >=20 > Florian >=20 >=20 > (I hope we didn't inherit another shitty linux mechanism like hal, > update-ca-certs or resolvconf to break proven functionality. > If so, please let me know what it is and I'll gladly open a PR to name = it a > regression. > Also, please excuse my lack of enthusiasm, but this has ruined much of = my > day meaning the coming week will also be ruined, trying to catch up) >=20 >=20 >=20 > -- > the purpose of libvirt is to provide an abstraction layer hiding all = xen > features added since 2006 until they were finally understood and = copied by > the kvm devs. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >=20