From owner-freebsd-security@freebsd.org Fri Dec 18 12:25:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25082A49855 for ; Fri, 18 Dec 2015 12:25:45 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C178C1BA6 for ; Fri, 18 Dec 2015 12:25:44 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id tBICPWxB045742 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 18 Dec 2015 12:25:39 GMT (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk tBICPWxB045742 Authentication-Results: smtp.infracaninophile.co.uk/tBICPWxB045742; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default To: freebsd-security@freebsd.org References: From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <5673FB3B.2010201@freebsd.org> Date: Fri, 18 Dec 2015 12:25:31 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 12:25:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/18/15 11:41, rhi wrote: > Is there any reason why /etc/ssl/cert.pem is not honoured by default? C= an I > get OpenSSL to use it by default? Is that the ports or the base version of openssl? I can recreate your results with the base openssl, but everything works as expected with the ports version: :# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com -port 443 WARNING: can't open config file: /usr/local/openssl/openssl.cnf CONNECTED(00000004) depth=3D3 C =3D SE, O =3D AddTrust AB, OU =3D AddTrust External TTP Netwo= rk, CN =3D AddTrust External CA Root verify return:1 [...] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5119 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002 Session-ID-ctx: Master-Key: 4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B44= 50FDA6EDD02063A8914A056 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb =2E.%$.,.p7lq..Fu. 0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7 _P.,X.r....`.T.. 0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89 \,.>...w.....|9. 0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb =2E...._.....w'... 0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc .4..Z6x. =2E.h.... 0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d ^..y^..f.5...q.. 0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4 .*Ja.Z[.f =2E...U. 0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef )L..5..S........ 0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19 =2Ev....b#.J.m../. 0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98 =2E..!.<.NOp..V .. 00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24 e..l...8...%X".$ Start Time: 1450441132 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C Generally I find that setting 'WITH_OPENSSL_PORT=3Dyes' is the route to crypto happiness in the ports. Cheers, Matthew --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWc/s7AAoJEABRPxDgqeTnKlsP/1NTQbfMPk09c7JMSpeuZaRM g9Jp+D8GAlViKIWwylyxl8kWF1I3aNGufAwuREBgbjyi0Jev9CRCXrYmXMfIGEcd Oijti/ewTRKEaN1cZHY3cVOgILRIkW7+HClWdUqQCRrMUOImDwosiCtd3tdqN9AL 6F1/tk4dPGfcN6k28cbN42Kc76V4DAvF5MzoSJ0DKZb5sV5+4aYsEiS+XazXz64N 7utt2+d63tP/mo16dkzCCxUT4tppGHIA1PHIKoiAxdqq+/NQ60mhE+LTO/EFeqdL hpiNXWMau4MDxZVb+bNzYQCq8k3wOfzC7zXyuKUjKWucU9opapzy9iSvsvdrTgdD Od10g8fWYo9GKWBlDPXb4lk3p43GSJj+kNquEdp3/6GWPOm14jeV3QZi5qW6gqMZ YnAYB1D/HvZJHMrWBJquQ/twohZqdOnXYSLIvL4ctLDCRYFjadqU11ykqbWlBPiu G2nNfUflFBWrU3mm5VyL9vmNuN+wM71PoxZU1iKKH5y+dN/Hw5uza85/gflr/WOu uiB+m4UC+bI+4Nl+Ao0asbNMWy4NATfi9hajBeThahmFn+/mXyS3/KEU1uS9STQV B7S/S2uHHtNlvuyZRmVjGkYJYs3zv0mqoPy4/A5JY080zmcrMdZYIlHuWDo6i7vV 5+ODrbbuMi6Imz4ClR8H =XS0i -----END PGP SIGNATURE----- --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi--