Date: Fri, 18 Dec 2015 12:25:31 +0000 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Message-ID: <5673FB3B.2010201@freebsd.org> In-Reply-To: <loom.20151218T123930-865@post.gmane.org> References: <loom.20151218T123930-865@post.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 12/18/15 11:41, rhi wrote:
> Is there any reason why /etc/ssl/cert.pem is not honoured by default? C=
an I
> get OpenSSL to use it by default?
Is that the ports or the base version of openssl? I can recreate your
results with the base openssl, but everything works as expected with the
ports version:
:# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com
-port 443
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000004)
depth=3D3 C =3D SE, O =3D AddTrust AB, OU =3D AddTrust External TTP Netwo=
rk, CN
=3D AddTrust External CA Root
verify return:1
[...]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5119 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002
Session-ID-ctx:
Master-Key:
4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B44=
50FDA6EDD02063A8914A056
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb
=2E.%$.,.p7lq..Fu.
0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7
_P.,X.r....`.T..
0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89
\,.>...w.....|9.
0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb
=2E...._.....w'...
0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc .4..Z6x.
=2E.h....
0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d
^..y^..f.5...q..
0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4 .*Ja.Z[.f
=2E...U.
0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef
)L..5..S........
0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19
=2Ev....b#.J.m../.
0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98
=2E..!.<.NOp..V ..
00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24
e..l...8...%X".$
Start Time: 1450441132
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
Generally I find that setting 'WITH_OPENSSL_PORT=3Dyes' is the route to
crypto happiness in the ports.
Cheers,
Matthew
--C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWc/s7AAoJEABRPxDgqeTnKlsP/1NTQbfMPk09c7JMSpeuZaRM
g9Jp+D8GAlViKIWwylyxl8kWF1I3aNGufAwuREBgbjyi0Jev9CRCXrYmXMfIGEcd
Oijti/ewTRKEaN1cZHY3cVOgILRIkW7+HClWdUqQCRrMUOImDwosiCtd3tdqN9AL
6F1/tk4dPGfcN6k28cbN42Kc76V4DAvF5MzoSJ0DKZb5sV5+4aYsEiS+XazXz64N
7utt2+d63tP/mo16dkzCCxUT4tppGHIA1PHIKoiAxdqq+/NQ60mhE+LTO/EFeqdL
hpiNXWMau4MDxZVb+bNzYQCq8k3wOfzC7zXyuKUjKWucU9opapzy9iSvsvdrTgdD
Od10g8fWYo9GKWBlDPXb4lk3p43GSJj+kNquEdp3/6GWPOm14jeV3QZi5qW6gqMZ
YnAYB1D/HvZJHMrWBJquQ/twohZqdOnXYSLIvL4ctLDCRYFjadqU11ykqbWlBPiu
G2nNfUflFBWrU3mm5VyL9vmNuN+wM71PoxZU1iKKH5y+dN/Hw5uza85/gflr/WOu
uiB+m4UC+bI+4Nl+Ao0asbNMWy4NATfi9hajBeThahmFn+/mXyS3/KEU1uS9STQV
B7S/S2uHHtNlvuyZRmVjGkYJYs3zv0mqoPy4/A5JY080zmcrMdZYIlHuWDo6i7vV
5+ODrbbuMi6Imz4ClR8H
=XS0i
-----END PGP SIGNATURE-----
--C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5673FB3B.2010201>