Date: Sun, 4 Sep 2022 19:44:48 +0200 From: Christoph Moench-Tegeder <cmt@burggraben.net> To: Axel Rau <Axel.Rau@chaos1.de> Cc: FreeBSD-security@freebsd.org Subject: Re: pkg 1.18.4 refuses local CAcert on 13.1-RELEASE-p2 Message-ID: <YxTkEO9sM%2BzpJmzK@elch.exwg.net> In-Reply-To: <C5DE50D8-F4D7-4346-8E54-8C0E97B2CDD5@Chaos1.DE> References: <C5DE50D8-F4D7-4346-8E54-8C0E97B2CDD5@Chaos1.DE>
next in thread | previous in thread | raw e-mail | index | archive | help
## Axel Rau (Axel.Rau@Chaos1.DE): > but openssl verify shows successful verification: > - - - > # openssl s_client -connect some_fqdn:443 -6 -verify_return_error | grep verify > depth=1 some_internal_CA Home-brewed CA? Sure that the extensions have been set correctly? (Most commonly missed/wrong is the CA flag in Basic Constraints). Standard openssl verification is not helpful, you'll need at least "-strict -policy_check". TL;DR: use Let's Encrypt. Regards, Christoph -- Spare Space
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YxTkEO9sM%2BzpJmzK>