Date: Wed, 6 Apr 2011 09:43:33 -0500 From: Scot Hetzel <swhetzel@gmail.com> To: "Frank J. Cameron" <cameron@ctc.com> Cc: freebsd-security <freebsd-security@freebsd.org>, Dmytro Pryanyshnikov <lynx.ripe@gmail.com>, =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com> Subject: Re: SSL is broken on FreeBSD Message-ID: <BANLkTin%2BM6tMWeS9DefMnMijFycja4WcAA@mail.gmail.com> In-Reply-To: <1302042612.3271.100.camel@linux116.ctc.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> <1302042612.3271.100.camel@linux116.ctc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 5, 2011 at 5:30 PM, Frank J. Cameron <cameron@ctc.com> wrote: >> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to >> be used by the ''openssl s_client" command by default (without -CAfile >> command line argument). > > http://curl.haxx.se/mail/archive-2003-07/0036.html > =A0 =A0 =A0 =A0Unfortunately, the information about this is not in the cu= rrent > =A0 =A0 =A0 =A0OpenSSL documentation. You have to read the source code or > =A0 =A0 =A0 =A0see discussion about it in the openssl-dev mailing list. > =A0 =A0 =A0 =A0There is a reference to the X509_get_default_cert_file and > =A0 =A0 =A0 =A0X509_get_default_cert_file_env in the obsolete ssleay.txt = file > =A0 =A0 =A0 =A0in > =A0 =A0 =A0 =A0the OpenSSL document directory, but that is about it. The = only > =A0 =A0 =A0 =A0references that I know to the SSL_CERT_FILE and SSL_CERT_D= IR > =A0 =A0 =A0 =A0environment variables (other than in the source code itsel= f) > =A0 =A0 =A0 =A0are > =A0 =A0 =A0 =A0in the old "SSLeay and SSLapps FAQ" which is not distribut= ed > =A0 =A0 =A0 =A0with > =A0 =A0 =A0 =A0OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypt= o/"). > =A0 =A0 =A0 =A0See some correspondence about these defaults in the openss= l-dev > =A0 =A0 =A0 =A0mailing list in a thread started by me in December 2002 > =A0 =A0 =A0 =A0(with a fix for the code by Richard Levitte and Rich Salz)= : > =A0 =A0 =A0 =A0"http://marc.theaimsgroup.com/?l=3Dopenssl-dev&m=3D1038990= 56011520" > > =A0 =A0 =A0 =A0The default name for the ca cert bundle is defined in > =A0 =A0 =A0 =A0crypto/cryptlib.h, as are the environment variables > =A0 =A0 =A0 =A0SSL_CERT_FILE and SSL_CERT_DIR. > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptli= b.h > =A0 =A0 =A0 =A0#define X509_CERT_FILE =A0 =A0 =A0 =A0 =A0OPENSSLDIR "/cer= t.pem" > > http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile > =A0 =A0 =A0 =A0OPENSSLDIR=3D/usr/local/ssl > FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL as part of a buildworld, instead we use our own custom Makefiles in secure/lib/libcrypto. The only place where OPENSSLDIR is defined is in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-am= d64.h?revision=3D194207&view=3Dmarkup #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) #define ENGINESDIR "/usr/lib/engines" #define OPENSSLDIR "/etc/ssl" #endif #endif > So, should the port be linking?: > /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt > The port is creating the correct link for the base install of openssl. Scotr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTin%2BM6tMWeS9DefMnMijFycja4WcAA>