From owner-freebsd-ports@FreeBSD.ORG Wed Sep 7 10:18:29 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23D3E106564A for ; Wed, 7 Sep 2011 10:18:29 +0000 (UTC) (envelope-from jerry@seibercom.net) Received: from mail-vw0-f50.google.com (mail-vw0-f50.google.com [209.85.212.50]) by mx1.freebsd.org (Postfix) with ESMTP id C81318FC18 for ; Wed, 7 Sep 2011 10:18:28 +0000 (UTC) Received: by vws14 with SMTP id 14so6916092vws.37 for ; Wed, 07 Sep 2011 03:18:28 -0700 (PDT) Received: by 10.52.94.109 with SMTP id db13mr2236790vdb.366.1315390707961; Wed, 07 Sep 2011 03:18:27 -0700 (PDT) Received: from scorpio.seibercom.net (cpe-076-182-105-057.nc.res.rr.com [76.182.105.57]) by mx.google.com with ESMTPS id q5sm2198313vdu.23.2011.09.07.03.18.26 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 07 Sep 2011 03:18:27 -0700 (PDT) Received: from seibercom.net (zeus [192.168.1.1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jerry@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 3Rv13529RKz2CG5k for ; Wed, 7 Sep 2011 06:18:25 -0400 (EDT) Date: Wed, 7 Sep 2011 06:18:24 -0400 From: Jerry To: freebsd-ports@freebsd.org Message-ID: <20110907061824.4ff5c4cd@seibercom.net> In-Reply-To: <4E66A706.2060004@FreeBSD.org> References: <4E66A706.2060004@FreeBSD.org> Organization: seibercom.net X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.6; amd64-portbld-freebsd8.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAHlBMVEUAAABYRlwJCw4FAgAIBwKprDkBAQFQLR0BAgCir7VRttp8AAACAUlEQVQ4jZWUTYvbMBCGTVl8V2hX6Gg5G5FbWQdBj0lEfE7BhN4cyzi5Wt1E5L70roWy6N92xok/skkP+5IYrMcz78xIduDWpNM3vFzuA/jX5EY1AI6KHFwW/CzFuQAwqUBbV12p+CzIh6Awq7sg33pn5D64SQXAexffeuQlA/L35RrkaB551OjGfP/cAO8mCNaDcgvfky5ijoD0pAXlCQCnljiAjsJD9Ax05Ko5sZxbnLQcmM+dZg5IjREfZrWIHK0JuwU68pAGwHvfRxBundRzTxxz3r9dNUikPsEihjz2Dc4kjp1hKsJGuot4EDxaxzMoC7XqhxhOSfZrTS6gSX1JVdjp+o1PvWfekXgw3WL0g70nDEwA0H0HQsEZc8sTmFMTkWUfYWC/vdR1zQy3xLQgLwzu90QnlnFLjeiGWBjwhb4Sa42IqOg2qqS4O1/zhKokFUb1Q8Rj4Eb69WVflXEehJ35DgChVTE5n50eaGyMLOfH8AOodoSM4PVYAQgQdBulOa+knklYks3vAuQ+uX492lTl+A+e8qBV2AKoXalVKFfyuUp0pUp1ARaUHh82lv9MN+Ig7CZtgE6FNYvjlywT2VP2dMgOG46gTIWcqdfvuwyXNz0oMJNd/N5lh1YNiJt19ADTUo3VuFSNeQwVqRSrGjSCp53fk2g+Mvfk/gfoPxHeUS8MH9vRAAAAAElFTkSuQmCC Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: HEADS UP: ca_root_nss seems to trip up OpenSSL on FreeBSD 7.3 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ports@freebsd.org List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 10:18:29 -0000 On Wed, 07 Sep 2011 01:04:38 +0200 Matthias Andree articulated: > Greetings, > > apparently the new /etc/ssl/cert.pem file installed by > security/ca_root_nss trips up the OpenSSL 0.9.8e in the 7.3-RELEASE > base system. I haven't tested 7.4, 8.1 or 8.2, 8-STABLE is unaffected > by the problem. > > The symptom is that some certificate chains that validate properly on > OpenSSL under FreeBSD 8-STABLE, fail to validate on 7.3. OpenSSL > claims that the root certificate weren't trusted. > > Manually editing the cert.pem file to reorder Entrust certificates up > front in reverse order helps according to Doug's findings, but chances > are that this breaks recognition of other root certificates in > exchange. > > This is also extremely hard to test because we can't possibly find > enough sites to cover for all 150+ trust anchors that the ca_root_nss > ports provides. > > Doug and I have been trying to debug this earlier today, to no avail > yet. The current suspicion is "bug in OpenSSL when reading > certificate bundles, and that bug got fixed between 0.9.8e and 0.9.8q > (possibly 0.9.8n)" -- note though that the order of certificates in a > bundle file is not supposed to make any difference. > > If someone has any insights, that will be much appreciated. > > (Doug feel free to polish this text and re-post if it turned out to be > incomprehensible. ;-)) The base system's version of "openssl" is old. Using the ports version, "OpenSSL 1.0.0d 8 Feb 2011" is in my opinion the proper way to correct this problem. Why the base system's version has not been updated to reflect the current version is something that I would love to ask; however, the usual members of the peanut gallery would only spew the usual company propaganda, "bla bla bla" and "bla bla bla", and I am not really in the mood to listen to it. Seriously, update to the current "port" version and the problem is solved. There use to be several programs that were not compatible with the "port's" version a few years ago; however, I believe I vetted those out and was instrumental in getting them corrected. In any case, this is an easy "fix". -- Jerry ✌ jerry+ports@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ The bigger the theory the better.