Date: Mon, 30 Aug 2010 17:42:31 -0700 From: Carl Johnson <carlj@peak.org> To: freebsd-questions@freebsd.org Subject: Re: fetchmail ssl certificate verification problem in FreeBSD 8.1 Message-ID: <87vd6r7gug.fsf@oak.localnet> In-Reply-To: <201008151938.o7FJc7vD001866@mist.nodomain> (Dan Strick's message of "Sun, 15 Aug 2010 12:38:07 -0700 (PDT)") References: <201008151938.o7FJc7vD001866@mist.nodomain>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Strick <mla_strick@att.net> writes: > I just installed FreeBSD release 8.1 and rebuilt the fetchmail port. > Now I get messages like these when I run fetchmail: > --- snip --- > > I can get rid of the message by removing the ssl option from the user > line but then fetchmail would not even try to use ssl. Why would the > old fetchmail be better able to verify the server's ssl certificate? > Has openssl changed? Where is the openssl certificate directory and why > should the information needed to verify the server's certificate be > found on my machine? Doesn't the openssl library contain something > like a hardwired list of well known certificate authority systems? You already got replies about using the sslcertfile option pointing to /usr/local/share/certs/ca-root-nss.crt. The problem is that only fixes fetchmail and must be duplicated for each application. I finally got around to looking into how to integrate those certificates into the openssl configuration for FreeBSD, and the following is what I came up with. The openssl configuration in /etc/ssl/openssl.cnf expects all certificates and hashes to be in /etc/ssl/certs, so the certificate file must be split into individual certificates there, and hashes generated. The following steps will handle that. Some of these steps must be performed as root, so all of them might as well be. cd /etc/ssl/certs # create if necessary split -p '^Certificate:' /usr/local/share/certs/ca-root-nss.crt cert rm certaa # just the file header for file in cert* ; do mv $file $file.pem ; done # rename to certxx.pem perl /usr/src/crypto/openssl/tools/c_rehash . # generate the hashes The above steps are for a FreeBSD 8.1-RELEASE, so they might not work exactly for other versions. This also assumes that you trust the certificates in the ca_root_nss package, so you will have to decide that for yourself. I have seen several questions and problems about ssl certificates, so hopefully others will find this useful. -- Carl Johnson carlj@peak.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87vd6r7gug.fsf>