Date: Wed, 6 Apr 2011 00:11:50 +0300 From: Dmytro Pryanyshnikov <lynx.ripe@gmail.com> To: =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Fri, Apr 1, 2011 at 5:33 PM, Istv=E1n <leccine@gmail.com> wrote: > Could somebody explain to me how is it possible to ship an operating syst= em > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > > openssl s_client -connect 72.21.203.148:443 </dev/null | ... Hmm, IMHO quite simple question (it's all about OpenSSL application config) has caused such a big and not-so-relevant discussion (about OS as a whole) ;) Actually, as I can see, just installing the ca_root_nss port (even with ETCSYMLINK=3Don "Add symlink to /etc/ssl/cert.pem") isn't enough for feeding installed .crt file to 'openssl s_client' command: dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 20 (unable to get local issuer certificate) dmitry@lynx$ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 0 (ok) So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to be used by the ''openssl s_client" command by default (without -CAfile command line argument). Alas, both openssl(1) and s_client(1) lack FILES section so it's unclear whether default value for -CAfile can be specified in some configuration file. Moreover, openssl(1) refers to config(5), but 'man 5 config' tells about the FreeBSD kernel config, not OpenSSL's one. But yes, installing security/ca_root_nss port _and_ specifying '-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your problem. --=20 Sincerely, Dmytro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w>