Date: Fri, 18 Dec 2015 12:25:31 +0000 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Message-ID: <5673FB3B.2010201@freebsd.org> In-Reply-To: <loom.20151218T123930-865@post.gmane.org> References: <loom.20151218T123930-865@post.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/18/15 11:41, rhi wrote: > Is there any reason why /etc/ssl/cert.pem is not honoured by default? C= an I > get OpenSSL to use it by default? Is that the ports or the base version of openssl? I can recreate your results with the base openssl, but everything works as expected with the ports version: :# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com -port 443 WARNING: can't open config file: /usr/local/openssl/openssl.cnf CONNECTED(00000004) depth=3D3 C =3D SE, O =3D AddTrust AB, OU =3D AddTrust External TTP Netwo= rk, CN =3D AddTrust External CA Root verify return:1 [...] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5119 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002 Session-ID-ctx: Master-Key: 4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B44= 50FDA6EDD02063A8914A056 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb =2E.%$.,.p7lq..Fu. 0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7 _P.,X.r....`.T.. 0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89 \,.>...w.....|9. 0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb =2E...._.....w'... 0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc .4..Z6x. =2E.h.... 0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d ^..y^..f.5...q.. 0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4 .*Ja.Z[.f =2E...U. 0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef )L..5..S........ 0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19 =2Ev....b#.J.m../. 0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98 =2E..!.<.NOp..V .. 00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24 e..l...8...%X".$ Start Time: 1450441132 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C Generally I find that setting 'WITH_OPENSSL_PORT=3Dyes' is the route to crypto happiness in the ports. Cheers, Matthew --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWc/s7AAoJEABRPxDgqeTnKlsP/1NTQbfMPk09c7JMSpeuZaRM g9Jp+D8GAlViKIWwylyxl8kWF1I3aNGufAwuREBgbjyi0Jev9CRCXrYmXMfIGEcd Oijti/ewTRKEaN1cZHY3cVOgILRIkW7+HClWdUqQCRrMUOImDwosiCtd3tdqN9AL 6F1/tk4dPGfcN6k28cbN42Kc76V4DAvF5MzoSJ0DKZb5sV5+4aYsEiS+XazXz64N 7utt2+d63tP/mo16dkzCCxUT4tppGHIA1PHIKoiAxdqq+/NQ60mhE+LTO/EFeqdL hpiNXWMau4MDxZVb+bNzYQCq8k3wOfzC7zXyuKUjKWucU9opapzy9iSvsvdrTgdD Od10g8fWYo9GKWBlDPXb4lk3p43GSJj+kNquEdp3/6GWPOm14jeV3QZi5qW6gqMZ YnAYB1D/HvZJHMrWBJquQ/twohZqdOnXYSLIvL4ctLDCRYFjadqU11ykqbWlBPiu G2nNfUflFBWrU3mm5VyL9vmNuN+wM71PoxZU1iKKH5y+dN/Hw5uza85/gflr/WOu uiB+m4UC+bI+4Nl+Ao0asbNMWy4NATfi9hajBeThahmFn+/mXyS3/KEU1uS9STQV B7S/S2uHHtNlvuyZRmVjGkYJYs3zv0mqoPy4/A5JY080zmcrMdZYIlHuWDo6i7vV 5+ODrbbuMi6Imz4ClR8H =XS0i -----END PGP SIGNATURE----- --C3GcE3eMBT4XsxdPUhVv1uVqKgpsfBLBi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5673FB3B.2010201>