From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 15:40:20 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A7E210656D0 for ; Fri, 1 Apr 2011 15:40:20 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 094A58FC0A for ; Fri, 1 Apr 2011 15:40:19 +0000 (UTC) Received: by eyg7 with SMTP id 7so1167405eyg.13 for ; Fri, 01 Apr 2011 08:40:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/+BlngWLSqqMvEYGFkuW4Bi88I4IqLmfYtUiS/qqDh8=; b=begPMVIe3kJTtoNsSWIA0fXzB4sC8shD/lzaMdWYDIld9Q8sBhGWAJqCr9NjIBJhoB lSe7162cbtVuwmKTnUameNJkqXNcUXyZ5+9AghCHwfpqSBI6Ih4HRhKq+dDYXw3rqw1s 7SUxGcNpdByWXeFwjcIW1Z4HzagG5Tkr6NRaw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=N4xqQ6+h66QCWkFs//Fc1VHBw8aPZEOBZKnzIdzjuIRikkNk38uzwLp3toQvTx0LuT qoMoQ0mV5YIEnFwerjaqw6uEijM02rdIMxGgSI0Bw4e1u7AcfKgOP443fcecgYi57jqf ThM4i5K46e69zH/3OpmbHn03J51j4jvApTGt4= MIME-Version: 1.0 Received: by 10.213.21.194 with SMTP id k2mr2466566ebb.18.1301670846218; Fri, 01 Apr 2011 08:14:06 -0700 (PDT) Received: by 10.213.114.135 with HTTP; Fri, 1 Apr 2011 08:14:06 -0700 (PDT) Received: by 10.213.114.135 with HTTP; Fri, 1 Apr 2011 08:14:06 -0700 (PDT) In-Reply-To: References: Date: Fri, 1 Apr 2011 11:14:06 -0400 Message-ID: From: matt donovan To: =?ISO-8859-1?B?SXN0duFu?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 15:40:20 -0000 Sounds like your openssl is broken it works just fine for me gets gmail certificate On Apr 1, 2011 11:01 AM, "Istv=E1n" wrote: > Hi folks, > > Could somebody explain to me how is it possible to ship an operating system > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > > http://www.google.com/search?q=3D%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3= Aunable+to+get+local+issuer+certificate%22 > > < http://www.google.com/search?q=3D%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3= Aunable+to+get+local+issuer+certificate%22 >About > 1,490 results (0.14 seconds) > openssl s_client -connect 72.21.203.148:443 CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates > > depth=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTer= ms of use at > https://www.verisign.com/rpa (c)09/CN=3DVeriSign Class 3 Secure Server CA= - G2 > verify error:num=3D20:unable to get local issuer certificate > verify return:0 > DONE > subject=3D /C=3DUS/ST=3DWashington/L=3DSeattle/O=3DAmazon.com Inc./CN=3D s3.amazonaws.com > notBefore=3DOct 8 00:00:00 2010 GMT > notAfter=3DOct 7 23:59:59 2013 GMT > > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is > like shipping a car without wheels, I suppose. > > Is there a reason to do this? > > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does? > > Thanks. > > I. > > -- > the sun shines for all > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g "