From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 13:25:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B28FF106564A for ; Wed, 6 Apr 2011 13:25:21 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125]) by mx1.freebsd.org (Postfix) with ESMTP id 78B608FC18 for ; Wed, 6 Apr 2011 13:25:21 +0000 (UTC) Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12]) by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p36DP7fQ003126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 09:25:07 -0400 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p36DPJ6O016045; Wed, 6 Apr 2011 09:25:19 -0400 Received: (from cameron@localhost) by linux116.ctc.com (8.13.8/8.13.8/Submit) id p36DPIa5007344; Wed, 6 Apr 2011 09:25:18 -0400 X-Authentication-Warning: linux116.ctc.com: cameron set sender to cameron@ctc.com using -f From: "Frank J. Cameron" To: Dan Lukes In-Reply-To: <4D9BACF6.4060205@obluda.cz> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organization: Concurrent Technologies Corp. Date: Wed, 06 Apr 2011 09:25:18 -0400 Message-Id: <1302096318.3271.114.camel@linux116.ctc.com> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:25:21 -0000 On Tue, 2011-04-05 at 19:59 -0400, Dan Lukes wrote: > > So, should the port be linking?: > > /usr/local/ssl/cert.pem > -> /usr/local/share/certs/ca-root-nss.crt > > Even in the case I'm not true and there IS "implicit -CApath" then my > answer to your question is "No". > > 1. Installation of ca-root-nss.crt doesn't mean it's installed for > use > with openssl. So we should not affect the openssl behavior > automatically. It was my assumption that the port build was offering to create the link (Dmytro Pryanyshnikov: 'ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem"') and I assume that the default would be no (though that would be up to the port maintainer I suppose). ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------