From owner-freebsd-ports@FreeBSD.ORG Mon May 3 18:04:20 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from apollo.emma.line.org (freefall.freebsd.org [69.147.83.40]) by hub.freebsd.org (Postfix) with ESMTP id 75B07106566B; Mon, 3 May 2010 18:04:20 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from localhost ([127.0.0.1] helo=apollo.emma.line.org) by apollo.emma.line.org with esmtp (Exim 4.71 (FreeBSD)) (envelope-from ) id 1O8zzm-0004o2-21; Mon, 03 May 2010 20:03:54 +0200 Message-ID: <4BDF1009.3020300@FreeBSD.org> Date: Mon, 03 May 2010 20:03:53 +0200 From: Matthias Andree User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; de-DE; rv:1.9.1.9) Gecko/20100406 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-ports@freebsd.org References: <20100501031649.GA1335@rwpc08> In-Reply-To: <20100501031649.GA1335@rwpc08> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: dinoex@FreeBSD.org Subject: Re: OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2010 18:04:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 01.05.2010 05:16, schrieb John Marshall: > I just spent quite a while trying to figure out what broke SSL > certificate verification in my irc client after taking some brave pills > and updating ports on my notebook. > > It turns out that OpenSSL 1.0.0 hashes certificates differently to > earlier versions. That meant that applications looking in my > /usr/local/openssl/certs directory couldn't find hashes for CA > certificates because the hash links had been created with OpenSSL 0.9.8. > > From the CHANGES file in the root of the OpenSSL 1.0.0 distribution: > > "Enhance the hash format used for certificate directory links. The new > form uses the canonical encoding (meaning equivalent names will work > even if they aren't identical) and uses SHA1 instead of MD5. This form > is incompatible with the older format and as a result c_rehash should > be used to rebuild symbolic links. > [Steve Henson]" > > So, that's good to know but here's the really fun bit. Just running > c_rehash won't fix it if you have openssl in the base system - because > it picks up /usr/bin/openssl (old version, old hashes). The > /usr/local/bin/c_rehash script relies on an environment variable to > point it at anything other than the base openssl. So, if I set > OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash, > I get the "new" hashes and stuff works again. > (cc'ing Dirk who maintains the OpenSSL port - consider taking the patch linked below) I reported this - along with proposed fixes - to OpenSSL a couple of days ago, however there does not seem to be a 1.0.0a yet. (username and password "guest") Report: Deep link to patch: HTH Matthias -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvfEAkACgkQvmGDOQUufZWnwQCgllN15Dzm2E5gQcTJOx4xlBvw 2+oAniPTLC32IBTBAAaC9+noMZHybGPQ =U4UG -----END PGP SIGNATURE-----