Date: Wed, 6 Apr 2011 01:45:37 -0400 From: jhell <jhell@DataIX.net> To: Dan Lukes <dan@obluda.cz> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <20110406054537.GA2332@DataIX.net> In-Reply-To: <4D9BBB6A.9020200@obluda.cz> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> <4D9BBB6A.9020200@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, Apr 06, 2011 at 03:01:30AM +0200, Dan Lukes wrote: > On 6.4.2011 2:15, Chuck Swiger: > >>2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default > >There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role. > > I has been network administrator in bank. Be sure that "instalation > of a data pack" is very different task that "change security related > behavior of program that may/will affect all users". > > In the environment you mentioned, e.g. company taking security > questions seriously, the skilled administrator (and/or security > officer) will evaluate the situation and will create the link that > affect all users, if apropriate. > > It will not be interested in blind "automagic" change. > > As I said before. Instalation of CA bundle SHOULD NOT affect all > users automatically. The "pkg_add" don't know who install such pack > nor why such pack is installed for so it can't decide the answer. > This is a lost cause, Just to add another .02 bringing the total to somewhere in the 100's. If you truss the command above before and after creating so said links in /usr/local/etc/ssl and in /etc/ssl youll see that there is no default CAfile or CApath searched for. s_client(1) The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers [...] Maybe there should be an emphasis on ``diagnostic'' Security is not something that should compromised by a default configuration but something that should be taught by example for the end-user if they so require it. So with that in mind it might not be such a bad idea to add a "SSL The FreeBSD way." chapter to the handbook that would assist in a security researchers final decision to implement the correct changes they are looking for. Food for thought. -- Regards, J. Hellenthal JJH48-ARIN 0x89D8547E [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNm/4BAAoJEJBXh4mJ2FR+DCgH/1p3y3kXZYjEhaQqMIOZuQ/k Kgx4xk9lmAxOPOYjagSo//tW+QGG1AIwy0e5rRheuT9vKXTlqAXaX1fBnG3YvjgP rsqNIvIHjPOmKz2+oTZIOCJ4tGa8Wf/L4Gpyr5PIyObrhfkxxEF1yBNboZmxYbGu xKrm9SzW3RQJY7tKDLTW3hCudSdJ7huyx17SA4DyxUmCeUIJ0jiBLXuFPsa4F4Y6 mRN00GL2jqspOHnEBXZ2gRT6rlBtR+x6DsfMXg5iW91alxtGMX3xD6feTvaCILKH zlZradZa5QxdYolmnUEzRvDOjFyVKHUTawBBp0OGzuhxjlfiAkTLAT9dsX/7SS4= =zKhM -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110406054537.GA2332>