From owner-freebsd-security@FreeBSD.ORG  Wed Apr  6 15:08:14 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 120141065672
	for <freebsd-security@freebsd.org>;
	Wed,  6 Apr 2011 15:08:14 +0000 (UTC)
	(envelope-from swhetzel@gmail.com)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 903268FC12
	for <freebsd-security@freebsd.org>;
	Wed,  6 Apr 2011 15:08:13 +0000 (UTC)
Received: by bwz12 with SMTP id 12so1526019bwz.13
	for <freebsd-security@freebsd.org>;
	Wed, 06 Apr 2011 08:08:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=iAptRqGzigoMF21ZT4iTaPT6mr2DATEkHXPGh3ktL0Q=;
	b=diwQbfZ/NG8wY0ZaJP0YKk2S8I6cJ0Hcd6U00c/CucoiMZ4StnenTaLweW8GlWpxr2
	9aBqhcp6sQjwT6inSEXfiq2Mcdd1dtW0Zb6YaHOkONWDUzTc8xAln5w4DkwYz9yT93lJ
	o8X3IaOcDM6bPm3wQe4TcTZ8IGvHrUYL5+Zps=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=rhS3AdP9Yy7DUPCJFs4h29bdhLI774t8G0vZsz/m2MFSEddG8k2e405gwE2uaJzPn1
	RtXhrF2XJ8ZWWe7a7sE5poI1eN7fh3k3NC1JyZjCWjGY7P7XyXVxYjiRFJm4kqNy5Fsl
	wITq55WR9VMF2GcOCYPGWb9V3mtOET0UB8+CE=
MIME-Version: 1.0
Received: by 10.204.10.21 with SMTP id n21mr977701bkn.77.1302101013567; Wed,
	06 Apr 2011 07:43:33 -0700 (PDT)
Received: by 10.204.99.148 with HTTP; Wed, 6 Apr 2011 07:43:33 -0700 (PDT)
In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com>
References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
	<BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
	<1302042612.3271.100.camel@linux116.ctc.com>
Date: Wed, 6 Apr 2011 09:43:33 -0500
Message-ID: <BANLkTin+M6tMWeS9DefMnMijFycja4WcAA@mail.gmail.com>
From: Scot Hetzel <swhetzel@gmail.com>
To: "Frank J. Cameron" <cameron@ctc.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security <freebsd-security@freebsd.org>,
	Dmytro Pryanyshnikov <lynx.ripe@gmail.com>,
	=?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com>
Subject: Re: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 15:08:14 -0000

On Tue, Apr 5, 2011 at 5:30 PM, Frank J. Cameron <cameron@ctc.com> wrote:
>> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
>> be used by the ''openssl s_client" command by default (without -CAfile
>> command line argument).
>
> http://curl.haxx.se/mail/archive-2003-07/0036.html
> =A0 =A0 =A0 =A0Unfortunately, the information about this is not in the cu=
rrent
> =A0 =A0 =A0 =A0OpenSSL documentation. You have to read the source code or
> =A0 =A0 =A0 =A0see discussion about it in the openssl-dev mailing list.
> =A0 =A0 =A0 =A0There is a reference to the X509_get_default_cert_file and
> =A0 =A0 =A0 =A0X509_get_default_cert_file_env in the obsolete ssleay.txt =
file
> =A0 =A0 =A0 =A0in
> =A0 =A0 =A0 =A0the OpenSSL document directory, but that is about it. The =
only
> =A0 =A0 =A0 =A0references that I know to the SSL_CERT_FILE and SSL_CERT_D=
IR
> =A0 =A0 =A0 =A0environment variables (other than in the source code itsel=
f)
> =A0 =A0 =A0 =A0are
> =A0 =A0 =A0 =A0in the old "SSLeay and SSLapps FAQ" which is not distribut=
ed
> =A0 =A0 =A0 =A0with
> =A0 =A0 =A0 =A0OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypt=
o/").
> =A0 =A0 =A0 =A0See some correspondence about these defaults in the openss=
l-dev
> =A0 =A0 =A0 =A0mailing list in a thread started by me in December 2002
> =A0 =A0 =A0 =A0(with a fix for the code by Richard Levitte and Rich Salz)=
:
> =A0 =A0 =A0 =A0"http://marc.theaimsgroup.com/?l=3Dopenssl-dev&m=3D1038990=
56011520"
>
> =A0 =A0 =A0 =A0The default name for the ca cert bundle is defined in
> =A0 =A0 =A0 =A0crypto/cryptlib.h, as are the environment variables
> =A0 =A0 =A0 =A0SSL_CERT_FILE and SSL_CERT_DIR.
>
> http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptli=
b.h
> =A0 =A0 =A0 =A0#define X509_CERT_FILE =A0 =A0 =A0 =A0 =A0OPENSSLDIR "/cer=
t.pem"
>
> http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile
> =A0 =A0 =A0 =A0OPENSSLDIR=3D/usr/local/ssl
>
FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL
as part of a buildworld, instead we use our own custom Makefiles in
secure/lib/libcrypto.  The only place where OPENSSLDIR is defined is
in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h

http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-am=
d64.h?revision=3D194207&view=3Dmarkup

#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#define ENGINESDIR "/usr/lib/engines"
#define OPENSSLDIR "/etc/ssl"
#endif
#endif

> So, should the port be linking?:
>        /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
>
The port is creating the correct link for the base install of openssl.

Scotr