From owner-freebsd-questions@freebsd.org Sun Nov 29 17:23:36 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BE47A3C846 for ; Sun, 29 Nov 2015 17:23:36 +0000 (UTC) (envelope-from oliver@schonrocks.com) Received: from smtp.schonrocks.com (smtp.schonrocks.com [89.187.108.85]) by mx1.freebsd.org (Postfix) with ESMTP id DA21610A8 for ; Sun, 29 Nov 2015 17:23:35 +0000 (UTC) (envelope-from oliver@schonrocks.com) Received: from [192.168.40.60] (home.zaheer.org.uk [81.187.127.171]) by smtp.schonrocks.com (Postfix) with ESMTPA id AC29ED7FC00 for ; Sun, 29 Nov 2015 17:23:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=schonrocks.com; s=default; t=1448817824; bh=dg4Y/7sArjwZEzk7yEaL5qllHMpGIwJE3VjDqnNQzsk=; h=Subject:To:References:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=jtbXup4gxtOUNP3DxjUk6EgyXVlzLHkph31ZJFLzHVeVdnz8eId2gYl0zEMIC0E4J 59srVpGu2lQbLHUF1Hy4i5O9YF9mehaAcwwPZ/gXSqtYZmFHY0NCYEaZrmFjfBPo/C SJuXdBwNFGTDAi8jV6d2IRFJc+FnJNTbJaAj3yus= Subject: Re: openssl: verify error:num=20:unable to get local issuer certificate To: freebsd-questions@freebsd.org References: <565B2ACD.4030509@schonrocks.com> From: Oliver Schonrock X-Enigmail-Draft-Status: N1200 Message-ID: <565B3495.40005@schonrocks.com> Date: Sun, 29 Nov 2015 17:23:33 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <565B2ACD.4030509@schonrocks.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 17:23:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 just a little more info On 29/11/15 16:41, Oliver Schonrock wrote: > 2. there is something wrong with the openssl installation on that > 10.1 machine. I install openssl from ports to test: pkg install openssl /usr/local/bin/openssl s_client -connect api.textmarketer.co.uk:443 2>&1 | less depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify return:1 works!...so does that mean my openssl in the base system is messed up? (I also compared my /etc/ssl/openssl.cnf with the working 10.2 machine, and that's identical as well). Is it this upgrade below??? Is there any way to validate openssl, or reinstall it in base? > I did upgrade this machine from 10.0 to 10.1 using freebsd-update > on October 16th 2015 (too late I know, could that be the issue?). I > also installed the recent updates for ntpd vulnerabilities etc. I > did reboot after those. > > Suspiciously, that problematic 10.1 machine was validating that > exact cert path fine before the upgrade from 10.0. I know this > because userland applications, like curl, are being used regularly > to connect to that very site and I have logs to prove that it was > working ...and now doesn't. I have put a workaround in place to get > curl to connect untrusted, but that's not good, clearly. It also > worries me what else is not working, or not secure? - -- Oliver Schönrock Mobile : +44 7880 617 446 email : oliver@schonrocks.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWWzSVAAoJEF6SumULDx4PV+QH/RSbuej4QgLblRLJzOiOHT+6 Nn+zysDiyOlFXv6ZwTYrFN8gK77pAQLfkpd03kw+i2CyRoj9UUnDMPRAi18QM1PS 9jGpKxxLDNP2hMjqtnmDSUJ3S1suezUKfqwKeGVKp1eKuQ/pr4IH9XYLn9o0mnAL XbPojBCDdw89srbOWtf2OrvsqMvUs4V78QAcn8AuANQMrKlHCw+Nwims8mp6xGc4 qmW04c7M1CO7J27qm3WuWt6ggEPQLSq1G0Y16P4ChP6ScixwYVzZpAlgv/hkDjjk 75xQ7R1At+2vr0tM/3hybllnl9QMjD9gk1Gd607XvcXu3MxsUKcYBnXf+Wy0h4I= =CVgE -----END PGP SIGNATURE-----