From owner-freebsd-questions@FreeBSD.ORG Thu Jan 10 19:07:05 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EE462E07 for ; Thu, 10 Jan 2013 19:07:05 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (mail1.sourcehosting.net [74.205.51.45]) by mx1.freebsd.org (Postfix) with ESMTP id B34D8151 for ; Thu, 10 Jan 2013 19:07:05 +0000 (UTC) Received: from 24-181-237-39.dhcp.oxfr.ma.charter.com ([24.181.237.39] helo=Gregory-Larkins-iMac.local) by mail1.sourcehosting.net with esmtp (Exim 4.73 (FreeBSD)) (envelope-from ) id 1TtNSu-000CAZ-08; Thu, 10 Jan 2013 14:07:04 -0500 Received: from Gregory-Larkins-iMac.local (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by Gregory-Larkins-iMac.local (Postfix) with ESMTPS id 79D21193B940; Thu, 10 Jan 2013 14:06:59 -0500 (EST) Message-ID: <50EF1152.3010205@FreeBSD.org> Date: Thu, 10 Jan 2013 14:06:58 -0500 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Paul Kraus References: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org> <50EEFC7D.5070706@FreeBSD.org> <50EF087A.50002@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.4.6 X-SA-Exim-Connect-IP: 24.181.237.39 X-SA-Exim-Mail-From: glarkin@FreeBSD.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail1.sourcehosting.net X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,TVD_RCVD_IP autolearn=no version=3.3.1 Subject: Re: OpenSSL Certificate issue Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail1.sourcehosting.net) Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 19:07:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/10/13 1:38 PM, Paul Kraus wrote: >> On 1/10/13 12:49 PM, Paul Kraus wrote: >>> On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote: >>> >>>> It looks like you don't have the Gmail certificate installed >>>> locally, unless I'm mistaken. >>> >>> I do not need to have the Google cert installed as long as I >>> have the Root Cert that signed it installed, and I do have >>> that cert. The fact that I can point to the certificate file >>> itself and the test connection works fine shows that I have >>> the correct cert file. I agree that it is probably NOT >>> installed correctly, but ... >>> >>>> Check the instructions here, and let us know if that fixes >>>> the problem for you: >>>> http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/ >>> >>>> >>> >>>> >>>> these instructions appear to be for Linux and not FreeBSD and there >>> are configuration and path differences, which is probably the >>> core of my problem. I expect that I have not installed the >>> root certs into the correct directory (but they are in the >>> directory that c_rehash is working in). >>> >>> >> >> My guess is that you're using the c_rehash supplied with OpenSSL >> 1.x (installed as a port?) to hash the certs and then the >> OpenSSL 0.9.x binary from the base system to connect to the Gmail >> POP server. >> >> Give your s_client command another try with the fully specified >> path to the OpenSSL 1.x binary to see if that corrects the >> verification error. > > That appears to be the problem, using /usr/local/bin/openssl > works, but I still need to know where the base system needs to have > the certs placed (and how to hash them as the only c_rehash script > is the one that came with the port of openssl) ? There are a number > of utilities (most important here is fetchmail) which is using the > base opensssl libraries. > > NOTE: I did not explicitly install the openssl port, it must have > been brought in as a dependency by another port. > I put the certs for my test in /etc/ssl/certs when using the base system openssl and in /usr/local/openssl/certs when using the openssl port. c_rehash uses a specific openssl binary when invoked like so: env OPENSSL=/usr/bin/openssl c_rehash /etc/ssl/certs You can set the OPENSSL and SSL_CERT_DIR environment variables permanently, and that would ensure everything is consistent going forward, even if the openssl port is present. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDvEVIACgkQ0sRouByUApB3KQCfcwYrixZv0Fd78d15zQdgwjCI DowAoLcv8jNxOufJPx26F6A2dZeMeCz/ =EIv4 -----END PGP SIGNATURE-----