Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Apr 2011 00:11:50 +0300
From:      Dmytro Pryanyshnikov <lynx.ripe@gmail.com>
To:        =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com>
Cc:        freebsd-security <freebsd-security@freebsd.org>
Subject:   Re: SSL is broken on FreeBSD
Message-ID:  <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
References:  <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello!

On Fri, Apr 1, 2011 at 5:33 PM, Istv=E1n <leccine@gmail.com> wrote:
> Could somebody explain to me how is it possible to ship an operating syst=
em
> without testing basic functionality like SSL working? Unfortunately the
> problem is still there after installing the following port:
>
> /usr/ports/security/ca_root_nss
>
> openssl s_client -connect 72.21.203.148:443 </dev/null | ...

  Hmm, IMHO quite simple question (it's all about OpenSSL application
config) has caused such a big and not-so-relevant discussion (about OS
as a whole) ;) Actually, as I can see, just installing the ca_root_nss
port (even with ETCSYMLINK=3Don "Add symlink to /etc/ssl/cert.pem")
isn't enough for feeding installed .crt file to 'openssl s_client'
command:

dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null <
/dev/null |egrep '^[[:space:]]*Verify return code:'
    Verify return code: 20 (unable to get local issuer certificate)

dmitry@lynx$ openssl s_client -CAfile
/usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443
2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:'
    Verify return code: 0 (ok)

So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
be used by the ''openssl s_client" command by default (without -CAfile
command line argument). Alas, both openssl(1) and s_client(1) lack
FILES section so it's unclear whether default value for -CAfile can be
specified in some configuration file. Moreover, openssl(1) refers to
config(5), but 'man 5 config' tells about the FreeBSD kernel config,
not OpenSSL's one.

  But yes, installing security/ca_root_nss port _and_ specifying
'-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your
problem.



--=20
Sincerely, Dmytro

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w>