Date: Wed, 6 Apr 2011 09:43:33 -0500 From: Scot Hetzel <swhetzel@gmail.com> To: "Frank J. Cameron" <cameron@ctc.com> Cc: freebsd-security <freebsd-security@freebsd.org>, Dmytro Pryanyshnikov <lynx.ripe@gmail.com>, =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com> Subject: Re: SSL is broken on FreeBSD Message-ID: <BANLkTin%2BM6tMWeS9DefMnMijFycja4WcAA@mail.gmail.com> In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> <1302042612.3271.100.camel@linux116.ctc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 5, 2011 at 5:30 PM, Frank J. Cameron <cameron@ctc.com> wrote: >> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to >> be used by the ''openssl s_client" command by default (without -CAfile >> command line argument). > > http://curl.haxx.se/mail/archive-2003-07/0036.html > Unfortunately, the information about this is not in the current > OpenSSL documentation. You have to read the source code or > see discussion about it in the openssl-dev mailing list. > There is a reference to the X509_get_default_cert_file and > X509_get_default_cert_file_env in the obsolete ssleay.txt file > in > the OpenSSL document directory, but that is about it. The only > references that I know to the SSL_CERT_FILE and SSL_CERT_DIR > environment variables (other than in the source code itself) > are > in the old "SSLeay and SSLapps FAQ" which is not distributed > with > OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypto/"). > See some correspondence about these defaults in the openssl-dev > mailing list in a thread started by me in December 2002 > (with a fix for the code by Richard Levitte and Rich Salz): > "http://marc.theaimsgroup.com/?l=openssl-dev&m=103899056011520" > > The default name for the ca cert bundle is defined in > crypto/cryptlib.h, as are the environment variables > SSL_CERT_FILE and SSL_CERT_DIR. > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptlib.h > #define X509_CERT_FILE OPENSSLDIR "/cert.pem" > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile > OPENSSLDIR=/usr/local/ssl > FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL as part of a buildworld, instead we use our own custom Makefiles in secure/lib/libcrypto. The only place where OPENSSLDIR is defined is in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-amd64.h?revision=194207&view=markup #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) #define ENGINESDIR "/usr/lib/engines" #define OPENSSLDIR "/etc/ssl" #endif #endif > So, should the port be linking?: > /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt > The port is creating the correct link for the base install of openssl. Scotr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTin%2BM6tMWeS9DefMnMijFycja4WcAA>