From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 16:56:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7CE6106566B for ; Fri, 1 Apr 2011 16:56:43 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 809E38FC08 for ; Fri, 1 Apr 2011 16:56:43 +0000 (UTC) Received: by gwb15 with SMTP id 15so1726279gwb.13 for ; Fri, 01 Apr 2011 09:56:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JPa3LhZcBAeueI35Et37aooAphApjmBk8FpO3K2r+lc=; b=dfr7qtvMhtTHu5IJ3iiT3YVO4Gbl2cOGLTBTfrBJrxGK7aksFvWymGWeCZw7yLEurM h5Nlq4Oz03HUFGgJIaLrBBV1I+pg0owGH2JBJDRV0jnW26/3SPxV+rrfA1xuiqNrNj89 GgWH2bMf47wLCDTccP23JZTfVkNhOYxOf48eE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=tXoEVz66z/7E7y7vF6emmQI67Gwne44DcQCvP0hUjA8nZmEV8BIs0CoacOJZeLVLN/ tbut61cM744gcB+kMw+ACk9eDIFMh4DTeHqdJ3O5miKF6Sx4PLAB+hXqEOHMrureS812 cXp3kp6BFwnKU1WUJZ4CulEROuQ+cOFjSr0Vs= MIME-Version: 1.0 Received: by 10.101.186.33 with SMTP id n33mr3175424anp.12.1301675610190; Fri, 01 Apr 2011 09:33:30 -0700 (PDT) Received: by 10.100.105.6 with HTTP; Fri, 1 Apr 2011 09:33:30 -0700 (PDT) In-Reply-To: References: Date: Fri, 1 Apr 2011 12:33:30 -0400 Message-ID: From: Robert Simmons To: freebsd-security Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: =?ISO-8859-1?B?SXN0duFu?= Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 16:56:44 -0000 On Fri, Apr 1, 2011 at 10:33 AM, Istv=E1n wrote: > Could somebody explain to me how is it possible to ship an operating syst= em > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss OpenSSL works just fine for me. I am using it on an internal network with a CA that I created myself. That is the only CA that I want to trust, since all the servers that I'm using are signed by it and only it. I've manually added it to the CA lists here. That way, I can add a new server create a cert for it, sign it, and profit immediately. There are no CAs by default in FreeBSD because that's the way it should be. I would have had to remove all of them. As the FAQ for OpenSSL states: "The OpenSSL software is shipped without any root CA certificate as the OpenSSL project does not have any policy on including or excluding any specific CA and does not intend to set up such a policy. Deciding about which CAs to support is up to application developers or administrators." (http://www.openssl.org/support/faq.html#USER16) Now, you are also not satisfied with the CA bundle in the ports collection because it does not contain the CA that you need. I'm not sure which one it is that you need. But a good place to start is here: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html That contains a perl script for extracting the CA bundle from Mozilla's CVS. At first glance, it may frustrate you, because it may not be obvoius where it connects to (that info is obscured). However, look at the following help file. It has all the connection details for mozilla's cvsroot that you will need. Just substitute the "anonymous@cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the script. https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS If you are not satisfied with Mozilla's bundle, you can find google Chrome's list here somewhere: http://src.chromium.org/viewvc/chrome/ All of this may or may not solve your problem. You may need to build your own bundle and include the CAs that you want to trust. Also, one last thing: You can catch more flies with honey than with vinegar= .