From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 13:33:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B808106564A for ; Wed, 6 Apr 2011 13:33:34 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm2.ctc.com (pm2.ctc.com [147.160.99.125]) by mx1.freebsd.org (Postfix) with ESMTP id E41EF8FC0C for ; Wed, 6 Apr 2011 13:33:33 +0000 (UTC) Received: from server3a.ctc.com (server3a.ctc.com [10.160.17.12]) by pm2.ctc.com (8.13.1/8.13.1) with ESMTP id p36DXEXI003746 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Apr 2011 09:33:14 -0400 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.13.1/8.13.1) with ESMTP id p36DXQ0L017107; Wed, 6 Apr 2011 09:33:26 -0400 Received: (from cameron@localhost) by linux116.ctc.com (8.13.8/8.13.8/Submit) id p36DXQhg007587; Wed, 6 Apr 2011 09:33:26 -0400 X-Authentication-Warning: linux116.ctc.com: cameron set sender to cameron@ctc.com using -f From: "Frank J. Cameron" To: jhell In-Reply-To: <20110406054537.GA2332@DataIX.net> References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> <4D9BBB6A.9020200@obluda.cz> <20110406054537.GA2332@DataIX.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organization: Concurrent Technologies Corp. Date: Wed, 06 Apr 2011 09:33:26 -0400 Message-Id: <1302096806.3271.122.camel@linux116.ctc.com> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:33:34 -0000 On Wed, 2011-04-06 at 01:45 -0400, jhell wrote: > If you truss the command above before and after creating so said links > in /usr/local/etc/ssl and in /etc/ssl youll see that there is no > default > CAfile or CApath searched for. Interesting, thanks. I don't have a FreeBSD box around at present so my guess was just from starting with s_client.c and reading through to the Makefile. > s_client(1) > The s_client command implements a generic SSL/TLS client which > connects to a remote host using SSL/TLS. It is a very useful > diagnostic tool for SSL servers > [...] > Maybe there should be an emphasis on ``diagnostic'' Agreed. From openssl(1): "s_client ... It's intended for testing purposes only..." ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------