From owner-freebsd-security@FreeBSD.ORG  Tue Apr  5 22:48:52 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 35DEF106564A
	for <freebsd-security@freebsd.org>;
	Tue,  5 Apr 2011 22:48:52 +0000 (UTC) (envelope-from cameron@ctc.com)
Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125])
	by mx1.freebsd.org (Postfix) with ESMTP id ED5DC8FC13
	for <freebsd-security@freebsd.org>;
	Tue,  5 Apr 2011 22:48:51 +0000 (UTC)
Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12])
	by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p35MU0EC019770
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 5 Apr 2011 18:30:00 -0400
Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116])
	by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p35MUC1r014563;
	Tue, 5 Apr 2011 18:30:12 -0400
Received: (from cameron@localhost)
	by linux116.ctc.com (8.13.8/8.13.8/Submit) id p35MUCGN030031;
	Tue, 5 Apr 2011 18:30:12 -0400
X-Authentication-Warning: linux116.ctc.com: cameron set sender to
	cameron@ctc.com using -f
From: "Frank J. Cameron" <cameron@ctc.com>
To: Dmytro Pryanyshnikov <lynx.ripe@gmail.com>
In-Reply-To: <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
	<BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Organization: Concurrent Technologies Corp.
Date: Tue, 05 Apr 2011 18:30:12 -0400
Message-Id: <1302042612.3271.100.camel@linux116.ctc.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) 
Cc: =?ISO-8859-1?Q?Istv=E1n?= <leccine@gmail.com>,
	freebsd-security <freebsd-security@freebsd.org>
Subject: Re: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2011 22:48:52 -0000

On Tue, 2011-04-05 at 17:11 -0400, Dmytro Pryanyshnikov wrote:
> Actually, as I can see, just installing the ca_root_nss
> port (even with ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem")
> isn't enough for feeding installed .crt file to 'openssl s_client'
> command:
> 
> dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null <
> /dev/null |egrep '^[[:space:]]*Verify return code:'
>     Verify return code: 20 (unable to get local issuer certificate)
> 
> dmitry@lynx$ openssl s_client -CAfile
> /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443
> 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:'
>     Verify return code: 0 (ok)
> 
> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
> be used by the ''openssl s_client" command by default (without -CAfile
> command line argument).

http://curl.haxx.se/mail/archive-2003-07/0036.html
        Unfortunately, the information about this is not in the current 
        OpenSSL documentation. You have to read the source code or 
        see discussion about it in the openssl-dev mailing list. 
        There is a reference to the X509_get_default_cert_file and 
        X509_get_default_cert_file_env in the obsolete ssleay.txt file
        in 
        the OpenSSL document directory, but that is about it. The only 
        references that I know to the SSL_CERT_FILE and SSL_CERT_DIR 
        environment variables (other than in the source code itself)
        are 
        in the old "SSLeay and SSLapps FAQ" which is not distributed
        with 
        OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypto/"). 
        See some correspondence about these defaults in the openssl-dev 
        mailing list in a thread started by me in December 2002 
        (with a fix for the code by Richard Levitte and Rich Salz): 
        "http://marc.theaimsgroup.com/?l=openssl-dev&m=103899056011520" 
        
        The default name for the ca cert bundle is defined in 
        crypto/cryptlib.h, as are the environment variables
        SSL_CERT_FILE and SSL_CERT_DIR.

http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptlib.h
        #define X509_CERT_FILE		OPENSSLDIR "/cert.pem"

http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile
        OPENSSLDIR=/usr/local/ssl

So, should the port be linking?:
	/usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt

------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may
contain company sensitive information.  If you are not the
intended recipient, notify the sender immediately and delete
this message.  Publication, reproduction, forwarding, or 
content disclosure is prohibited without the consent of the
original sender and may be unlawful.

Concurrent Technologies Corporation and its Affiliates.
www.ctc.com  1-800-282-4392
------------------------------------------------------------