From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 05:45:45 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8151B106566B for ; Wed, 6 Apr 2011 05:45:45 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3156E8FC0A for ; Wed, 6 Apr 2011 05:45:45 +0000 (UTC) Received: by iyj12 with SMTP id 12so1321035iyj.13 for ; Tue, 05 Apr 2011 22:45:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=sJWr2VNwXmR0Xc9MvuDqXceKumVWM31ZNua0MIwJjzE=; b=J2dUoW+0sVFl3wDz55+MiEkjzNp2fLOtBz4eewWTnS+Hnr+YmWkcBDsBV4PFw8IvvQ TASmdPotM0hPJ7koe88KlaA1XarBNhnTrKhVAX22KDI93K5lj+x1eFey7Q+4FkzRzOKi DUqyIPFcmnrHexA26W809bXnlOimhq04gEM6w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=ngM9+YWoQ0ottOak1k/cWJaC59PHP4mowWN9zssrU7EJXfmSdNF5v3q0awyWQbxVC6 KkmQBjK2Tf+JoeM2Eo0a3AyLkhwYSyCiWWba7ktoR1Q8HYhlFsilwmPY2cP91oh/vavf cK+wKeCYHfZmO1eDqi4vB2rSn13DIrSn8Zyp0= Received: by 10.231.10.139 with SMTP id p11mr520129ibp.194.1302068744480; Tue, 05 Apr 2011 22:45:44 -0700 (PDT) Received: from DataIX.net (adsl-99-190-87-163.dsl.klmzmi.sbcglobal.net [99.190.87.163]) by mx.google.com with ESMTPS id d9sm176078ibb.53.2011.04.05.22.45.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 05 Apr 2011 22:45:42 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p365jdWr004950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 01:45:40 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p365jcNs004949; Wed, 6 Apr 2011 01:45:38 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Wed, 6 Apr 2011 01:45:37 -0400 From: jhell To: Dan Lukes Message-ID: <20110406054537.GA2332@DataIX.net> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> <4D9BBB6A.9020200@obluda.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline In-Reply-To: <4D9BBB6A.9020200@obluda.cz> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 05:45:45 -0000 --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 06, 2011 at 03:01:30AM +0200, Dan Lukes wrote: > On 6.4.2011 2:15, Chuck Swiger: > >>2. Such link will affect all users of system. Decision "what CA is trus= tful" should remain personal decision, not the system administrator decisio= n, by default > >There are differences between your personal machine, for which you as an= individual are welcome to make all of the decisions, and a managed box whi= ch is owned by a company which might have a specific PKI infrastructure whi= ch is needed for the machine to be usable for it's intended role. >=20 > I has been network administrator in bank. Be sure that "instalation > of a data pack" is very different task that "change security related > behavior of program that may/will affect all users". >=20 > In the environment you mentioned, e.g. company taking security > questions seriously, the skilled administrator (and/or security > officer) will evaluate the situation and will create the link that > affect all users, if apropriate. >=20 > It will not be interested in blind "automagic" change. >=20 > As I said before. Instalation of CA bundle SHOULD NOT affect all > users automatically. The "pkg_add" don't know who install such pack > nor why such pack is installed for so it can't decide the answer. >=20 This is a lost cause, Just to add another .02 bringing the total to somewhere in the 100's. If you truss the command above before and after creating so said links in /usr/local/etc/ssl and in /etc/ssl youll see that there is no default CAfile or CApath searched for. s_client(1) The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers [...] Maybe there should be an emphasis on ``diagnostic'' Security is not something that should compromised by a default configuration but something that should be taught by example for the end-user if they so require it. So with that in mind it might not be such a bad idea to add a "SSL The FreeBSD way." chapter to the handbook that would assist in a security researchers final decision to implement the correct changes they are looking for. Food for thought. --=20 Regards, J. Hellenthal JJH48-ARIN 0x89D8547E --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNm/4BAAoJEJBXh4mJ2FR+DCgH/1p3y3kXZYjEhaQqMIOZuQ/k Kgx4xk9lmAxOPOYjagSo//tW+QGG1AIwy0e5rRheuT9vKXTlqAXaX1fBnG3YvjgP rsqNIvIHjPOmKz2+oTZIOCJ4tGa8Wf/L4Gpyr5PIyObrhfkxxEF1yBNboZmxYbGu xKrm9SzW3RQJY7tKDLTW3hCudSdJ7huyx17SA4DyxUmCeUIJ0jiBLXuFPsa4F4Y6 mRN00GL2jqspOHnEBXZ2gRT6rlBtR+x6DsfMXg5iW91alxtGMX3xD6feTvaCILKH zlZradZa5QxdYolmnUEzRvDOjFyVKHUTawBBp0OGzuhxjlfiAkTLAT9dsX/7SS4= =zKhM -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb--