Date: Wed, 07 Sep 2011 01:04:38 +0200 From: Matthias Andree <mandree@FreeBSD.org> To: ports-list freebsd <freebsd-ports@freebsd.org> Cc: Doug Barton <dougb@FreeBSD.org> Subject: HEADS UP: ca_root_nss seems to trip up OpenSSL on FreeBSD 7.3 Message-ID: <4E66A706.2060004@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Greetings, apparently the new /etc/ssl/cert.pem file installed by security/ca_root_nss trips up the OpenSSL 0.9.8e in the 7.3-RELEASE base system. I haven't tested 7.4, 8.1 or 8.2, 8-STABLE is unaffected by the problem. The symptom is that some certificate chains that validate properly on OpenSSL under FreeBSD 8-STABLE, fail to validate on 7.3. OpenSSL claims that the root certificate weren't trusted. Manually editing the cert.pem file to reorder Entrust certificates up front in reverse order helps according to Doug's findings, but chances are that this breaks recognition of other root certificates in exchange. This is also extremely hard to test because we can't possibly find enough sites to cover for all 150+ trust anchors that the ca_root_nss ports provides. Doug and I have been trying to debug this earlier today, to no avail yet. The current suspicion is "bug in OpenSSL when reading certificate bundles, and that bug got fixed between 0.9.8e and 0.9.8q (possibly 0.9.8n)" -- note though that the order of certificates in a bundle file is not supposed to make any difference. If someone has any insights, that will be much appreciated. (Doug feel free to polish this text and re-post if it turned out to be incomprehensible. ;-)) Best regards, Matthias
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E66A706.2060004>