Date: Sun, 17 Apr 2005 16:43:30 +0100 From: Peter Wood <peter@alastria.net> To: freebsd-questions@freebsd.org Subject: System wide setting for OpenSSL CAfile / system certificates? Message-ID: <42628422.8070302@alastria.net>
next in thread | raw e-mail | index | archive | help
Good Afternoon, I've spent the past three hours playing with openssl.cnf and surfing google, and so far I've been unable to find an answer to this question. So I thought I'd ask here :). The background is that I've finally got around to getting a wildcard SSL certificate for my personal server, all daemons are using this, Firefox/IE/Thunderbird are all happy with the certificate and see it signed by ChainedSSL signed by Equifax and all is good. However when I use the FreeBSD server to connect to it's self, in several programs I get asked to confirm the certificate. So I assumed this was because there was no central root certificate store. So I installed security/ca-roots from ports, and that put the certs.pem file in /usr/local/share/certs and a symlink to it in /etc. However as I found this simply installs it. Using openssl s_cleint I was able to run some tests, if I didn't provide a cafile then I got the following. [nebula:~]# openssl s_client -connect localhost:imaps CONNECTED(00000003) depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See www.freessl.com/cps (c)04/OU=Domain Control Validated - ChainedSSL(TM)/CN=*.alastria.net i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority 1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1 --- If I provided a cafile, all was good and got this: [nebula:~]# openssl s_client -connect localhost:imaps -CAfile /etc/ssl/cert.pem CONNECTED(00000003) depth=2 /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1 verify return:1 depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority verify return:1 depth=0 /C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See www.freessl.com/cps (c)04/OU=Domain Control Validated - ChainedSSL(TM)/CN=*.alastria.net verify return:1 --- Certificate chain 0 s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See www.freessl.com/cps (c)04/OU=Domain Control Validated - ChainedSSL(TM)/CN=*.alastria.net i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority 1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1 --- I have tried various settings in openssl.cnf, but I can not get CAfile to be defaulted to anything. My basic question is can I do this, and if so, how? I'm expecting once this works (maybe stupidly) for it to propagate down to applications that use the openssl library. Although for some programs (like Mutt) I'll be required to set a property to allow mutt to trust the system certs (ssl_usesystemcerts). I hope someone out there knows, I've been playing and running truss and all sorts for the past three hours trying to get this to work. Any advice would be greatly appreciated. Cheers, Pete. -- Peter Wood BSc (Hons) :: <peter@alastria.net> :: Tel +44 7974 799440
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42628422.8070302>