From owner-freebsd-ports@FreeBSD.ORG  Tue Sep  6 23:04:39 2011
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from apollo.emma.line.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by hub.freebsd.org (Postfix) with ESMTP id 8AC58106564A;
	Tue,  6 Sep 2011 23:04:39 +0000 (UTC)
	(envelope-from mandree@FreeBSD.org)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1])
	by apollo.emma.line.org (Postfix) with ESMTP id 6F76C23CE28;
	Wed,  7 Sep 2011 01:04:38 +0200 (CEST)
Message-ID: <4E66A706.2060004@FreeBSD.org>
Date: Wed, 07 Sep 2011 01:04:38 +0200
From: Matthias Andree <mandree@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.21) Gecko/20110831 Mnenhy/0.8.3 Thunderbird/3.1.13
MIME-Version: 1.0
To: ports-list freebsd <freebsd-ports@freebsd.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Cc: Doug Barton <dougb@FreeBSD.org>
Subject: HEADS UP: ca_root_nss seems to trip up OpenSSL on FreeBSD 7.3
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 23:04:39 -0000

Greetings,

apparently the new /etc/ssl/cert.pem file installed by
security/ca_root_nss trips up the OpenSSL 0.9.8e in the 7.3-RELEASE base
system. I haven't tested 7.4, 8.1 or 8.2, 8-STABLE is unaffected by the
problem.

The symptom is that some certificate chains that validate properly on
OpenSSL under FreeBSD 8-STABLE, fail to validate on 7.3. OpenSSL claims
that the root certificate weren't trusted.

Manually editing the cert.pem file to reorder Entrust certificates up
front in reverse order helps according to Doug's findings, but chances
are that this breaks recognition of other root certificates in exchange.

This is also extremely hard to test because we can't possibly find
enough sites to cover for all 150+ trust anchors that the ca_root_nss
ports provides.

Doug and I have been trying to debug this earlier today, to no avail
yet.  The current suspicion is "bug in OpenSSL when reading certificate
bundles, and that bug got fixed between 0.9.8e and 0.9.8q (possibly
0.9.8n)" -- note though that the order of certificates in a bundle file
is not supposed to make any difference.

If someone has any insights, that will be much appreciated.

(Doug feel free to polish this text and re-post if it turned out to be
incomprehensible. ;-))

Best regards,
Matthias