Date: Wed, 06 Apr 2011 01:59:50 +0200 From: Dan Lukes <dan@obluda.cz> To: "Frank J. Cameron" <cameron@ctc.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <4D9BACF6.4060205@obluda.cz> In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> <1302042612.3271.100.camel@linux116.ctc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/06/11 00:30, Frank J. Cameron: > The default name for the ca cert bundle is defined in > crypto/cryptlib.h, as are the environment variables > SSL_CERT_FILE and SSL_CERT_DIR. May be. But as far as I know those variables doesn't affect the s_client application. > So, should the port be linking?: > /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt Even in the case I'm not true and there IS "implicit -CApath" then my answer to your question is "No". 1. Installation of ca-root-nss.crt doesn't mean it's installed for use with openssl. So we should not affect the openssl behavior automatically. 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default. Installation of ca-root-nss should not hit all users of system automatically. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D9BACF6.4060205>