From owner-freebsd-security@FreeBSD.ORG  Wed Apr  6 00:00:03 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C527F106564A
	for <freebsd-security@freebsd.org>;
	Wed,  6 Apr 2011 00:00:03 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz
	[IPv6:2001:718:1e03:a01::a])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A30C8FC08
	for <freebsd-security@freebsd.org>;
	Wed,  6 Apr 2011 00:00:03 +0000 (UTC)
X-Envelope-From: dan@obluda.cz
Received: from kgw.obluda.cz (kgw.obluda.cz [193.179.199.50])
	by smtp1.kolej.mff.cuni.cz (8.14.4/8.14.4) with ESMTP id p35NxpUl039725;
	Wed, 6 Apr 2011 01:59:52 +0200 (CEST) (envelope-from dan@obluda.cz)
Message-ID: <4D9BACF6.4060205@obluda.cz>
Date: Wed, 06 Apr 2011 01:59:50 +0200
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.1.18) Gecko/20110329 SeaMonkey/2.0.13
MIME-Version: 1.0
To: "Frank J. Cameron" <cameron@ctc.com>
References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>	<BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
	<1302042612.3271.100.camel@linux116.ctc.com>
In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 00:00:03 -0000

On 04/06/11 00:30, Frank J. Cameron:
>        The default name for the ca cert bundle is defined in
>         crypto/cryptlib.h, as are the environment variables
>         SSL_CERT_FILE and SSL_CERT_DIR.

May be. But as far as I know those variables doesn't affect the s_client 
application.

> So, should the port be linking?:
> 	/usr/local/ssl/cert.pem ->  /usr/local/share/certs/ca-root-nss.crt

Even in the case I'm not true and there IS "implicit -CApath" then my 
answer to your question is "No".

1. Installation of ca-root-nss.crt doesn't mean it's installed for use 
with openssl. So we should not affect the openssl behavior automatically.

2. Such link will affect all users of system. Decision "what CA is 
trustful" should remain personal decision, not the system administrator 
decision, by default. Installation of ca-root-nss should not hit all 
users of system automatically.

Dan