From owner-freebsd-questions@FreeBSD.ORG Tue Aug 31 00:42:39 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9237D106564A for ; Tue, 31 Aug 2010 00:42:39 +0000 (UTC) (envelope-from carlj@peak.org) Received: from redcondor2.peak.org (redcondor2.peak.org [69.59.192.56]) by mx1.freebsd.org (Postfix) with ESMTP id 63B398FC0A for ; Tue, 31 Aug 2010 00:42:38 +0000 (UTC) Received: from peak-mail-gateway.peak.org ([69.59.192.42]) by redcondor2.peak.org ({e8dac926-1ec8-47e6-b410-31008b345fb7}) via TCP (outbound) with ESMTP id 20100831004237616 for ; Tue, 31 Aug 2010 00:42:37 +0000 X-RC-FROM: X-RC-RCPT: Received: from oak.localnet (207.55.91.197.peak.org [207.55.91.197] (may be forged)) by peak-mail-gateway.peak.org (8.12.10/8.12.8) with ESMTP id o7V0gbWE095146 for ; Mon, 30 Aug 2010 17:42:37 -0700 (PDT) Received: from oak.localnet (localhost [127.0.0.1]) by oak.localnet (Postfix) with ESMTP id 9200FC085 for ; Mon, 30 Aug 2010 17:42:36 -0700 (PDT) Received: (from carlj@localhost) by oak.localnet (8.14.4/8.14.4/Submit) id o7V0gVAk006891; Mon, 30 Aug 2010 17:42:31 -0700 (PDT) (envelope-from carlj@peak.org) X-Authentication-Warning: oak.localnet: carlj set sender to carlj@peak.org using -f From: Carl Johnson To: freebsd-questions@freebsd.org References: <201008151938.o7FJc7vD001866@mist.nodomain> Date: Mon, 30 Aug 2010 17:42:31 -0700 In-Reply-To: <201008151938.o7FJc7vD001866@mist.nodomain> (Dan Strick's message of "Sun, 15 Aug 2010 12:38:07 -0700 (PDT)") Message-ID: <87vd6r7gug.fsf@oak.localnet> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: fetchmail ssl certificate verification problem in FreeBSD 8.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2010 00:42:39 -0000 Dan Strick writes: > I just installed FreeBSD release 8.1 and rebuilt the fetchmail port. > Now I get messages like these when I run fetchmail: > --- snip --- > > I can get rid of the message by removing the ssl option from the user > line but then fetchmail would not even try to use ssl. Why would the > old fetchmail be better able to verify the server's ssl certificate? > Has openssl changed? Where is the openssl certificate directory and why > should the information needed to verify the server's certificate be > found on my machine? Doesn't the openssl library contain something > like a hardwired list of well known certificate authority systems? You already got replies about using the sslcertfile option pointing to /usr/local/share/certs/ca-root-nss.crt. The problem is that only fixes fetchmail and must be duplicated for each application. I finally got around to looking into how to integrate those certificates into the openssl configuration for FreeBSD, and the following is what I came up with. The openssl configuration in /etc/ssl/openssl.cnf expects all certificates and hashes to be in /etc/ssl/certs, so the certificate file must be split into individual certificates there, and hashes generated. The following steps will handle that. Some of these steps must be performed as root, so all of them might as well be. cd /etc/ssl/certs # create if necessary split -p '^Certificate:' /usr/local/share/certs/ca-root-nss.crt cert rm certaa # just the file header for file in cert* ; do mv $file $file.pem ; done # rename to certxx.pem perl /usr/src/crypto/openssl/tools/c_rehash . # generate the hashes The above steps are for a FreeBSD 8.1-RELEASE, so they might not work exactly for other versions. This also assumes that you trust the certificates in the ca_root_nss package, so you will have to decide that for yourself. I have seen several questions and problems about ssl certificates, so hopefully others will find this useful. -- Carl Johnson carlj@peak.org