From owner-freebsd-questions@FreeBSD.ORG Tue Mar 10 14:23:39 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5C655874 for ; Tue, 10 Mar 2015 14:23:39 +0000 (UTC) Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1131E3E3 for ; Tue, 10 Mar 2015 14:23:39 +0000 (UTC) Received: by ykp131 with SMTP id 131so832761ykp.12 for ; Tue, 10 Mar 2015 07:23:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mRNFvzlcsmm+vFTgaVXMYQ7iycLCv5l+GghDtDIMooY=; b=OHXMgERLitU4CjWeByXvYKfv3lhCv4t9GK+AMdKBXNYw9Mv9rmG9HSUde51cijrBsr hfilOzfHzTh64RbA4YGNEDvzmACpWvegl1C+UrvTXUumcsFIMy/fF6xkDkaaU6Xya+ZQ vfY0jSpmP7B/INSLsJM3trBHkqpKk/ajda5tTJvfYQOsDs3NudxBPZr9NkoMfezJpJp1 yiN/DmxI0aaGrP0byPhwjQQe7+fWIo6DKWOX+RRF+1anvHOCVejaMDsI/h4a0WlgjnWz RWtWgG3trw8hydmt7iFLuIeY6iGXD4718IflzT7eGwoxWohlzT5AcJuEKwvltYs5eeVJ EzGg== MIME-Version: 1.0 X-Received: by 10.236.32.203 with SMTP id o51mr31636845yha.88.1425997418181; Tue, 10 Mar 2015 07:23:38 -0700 (PDT) Received: by 10.170.188.1 with HTTP; Tue, 10 Mar 2015 07:23:38 -0700 (PDT) Received: by 10.170.188.1 with HTTP; Tue, 10 Mar 2015 07:23:38 -0700 (PDT) In-Reply-To: <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com> References: <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com> Date: Tue, 10 Mar 2015 14:23:38 +0000 Message-ID: Subject: Re: Adding a root CA cert on FreeBSD10 From: krad To: Florian Heigl Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2015 14:23:39 -0000 Anything under local suggests you have installed openssl from ports . You will have to use the one your application is linked to. Check with ldd On 9 Mar 2015 16:28, "Florian Heigl" wrote: > Hi, > > thank you a lot! > > I=E2=80=99ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.= 0 > > Do you know / understand the preference between the different directories > on FreeBSD? > I very much like using /etc/ssl/certs but since we also have the > /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really > wonder what the =E2=80=9Cright=E2=80=9D path would be. > > Anyone? > > Florian > > > On 09.03.2015, at 15:12, krad wrote: > > I got mine working fine when i built a transparent ssl proxy. I had to pu= t > all the root certs into /etc/ssl/certs > > The filenames had to be a the hash of the cert though. This can be > generated via the following command > > openssl x509 -noout -hash -in > > eg > > # openssl x509 -noout -hash -in some_cert > 0810bc98 > # mv some_cert /etc/ssl/certs/0810bc98.o > > > On 8 March 2015 at 18:26, Florian Heigl wrote: > >> Hi, >> >> I'm trying to identify how and where to add a trusted root certificate i= n >> FreeBSD10. >> >> Doing so used to be dead easy on FreeBSD until now, just drop them in >> /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. >> This seems to be no longer true? >> >> I'm working with CACert or "private" CAs in many cases, so this is a >> standard thing. Right now I'm pulling my hair how to make it work in >> FreeBSD 10. >> >> What I want: >> - openssl s_client -connect to work >> >> I'm aware different tools are using different methods, but i.e. curl on >> many OS is tamed to respect the openssl CAs so I figure once openssl is >> happy it should be all good. >> But OpenSSL ain't happy: >> >> >> # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verif= y >> depth=3D1 O =3D Root CA, OU =3D http://www.cacert.org, CN =3D CA Cert Si= gning >> Authority, emailAddress =3D support@cacert.org >> verify error:num=3D19:self signed certificate in certificate chain >> verify return:0 >> issuer=3D/O=3DRoot CA/OU=3Dhttp://www.cacert.org/CN=3DCA Cert Signing >> Authority/emailAddress=3Dsupport@cacert.org >> Verify return code: 19 (self signed certificate in certificate chain= ) >> >> I've put the CACert certificates in the following places, to no avail: >> >> /etc/ssl/certs/cacert-class3.crt >> /etc/ssl/certs/cacert-root.crt >> /usr/local/etc/ssl/cacert-root.crt >> /usr/local/etc/ssl/certs/cacert-root.crt >> /usr/local/etc/ssl/certs/cacert-class3.crt >> /usr/local/etc/ssl/cacert-class3.crt >> /usr/local/etc/openssl/cacert-class3.crt >> /usr/local/etc/openssl/cacert-root.crt >> /usr/local/etc/openssl/certs/cacert-class3.crt >> /usr/local/etc/openssl/certs/cacert-root.crt >> >> I've not tried to patch them into the OS-side CA bundles >> like ca_root_nss-3.17.4_1. That would be utterly stupid since they would >> be >> lost on update of the package. >> >> Is there any documentation regarding certs that is _working_ on FreeBSD1= 0? >> I'm so far still inclined the error is on my side, but without current >> documentation it's hard to tell. >> >> >> Florian >> >> >> (I hope we didn't inherit another shitty linux mechanism like hal, >> update-ca-certs or resolvconf to break proven functionality. >> If so, please let me know what it is and I'll gladly open a PR to name i= t >> a >> regression. >> Also, please excuse my lack of enthusiasm, but this has ruined much of m= y >> day meaning the coming week will also be ruined, trying to catch up) >> >> >> >> -- >> the purpose of libvirt is to provide an abstraction layer hiding all xen >> features added since 2006 until they were finally understood and copied = by >> the kvm devs. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > >