Date: Fri, 1 Apr 2011 12:33:30 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-security <freebsd-security@freebsd.org> Cc: =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com> Subject: Re: SSL is broken on FreeBSD Message-ID: <AANLkTimBcxTGj_Fx-s3=k6eGn3DPihHSgQEOidtjQ%2BwN@mail.gmail.com> In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 1, 2011 at 10:33 AM, Istv=E1n <leccine@gmail.com> wrote: > Could somebody explain to me how is it possible to ship an operating syst= em > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss OpenSSL works just fine for me. I am using it on an internal network with a CA that I created myself. That is the only CA that I want to trust, since all the servers that I'm using are signed by it and only it. I've manually added it to the CA lists here. That way, I can add a new server create a cert for it, sign it, and profit immediately. There are no CAs by default in FreeBSD because that's the way it should be. I would have had to remove all of them. As the FAQ for OpenSSL states: "The OpenSSL software is shipped without any root CA certificate as the OpenSSL project does not have any policy on including or excluding any specific CA and does not intend to set up such a policy. Deciding about which CAs to support is up to application developers or administrators." (http://www.openssl.org/support/faq.html#USER16) Now, you are also not satisfied with the CA bundle in the ports collection because it does not contain the CA that you need. I'm not sure which one it is that you need. But a good place to start is here: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html That contains a perl script for extracting the CA bundle from Mozilla's CVS. At first glance, it may frustrate you, because it may not be obvoius where it connects to (that info is obscured). However, look at the following help file. It has all the connection details for mozilla's cvsroot that you will need. Just substitute the "anonymous@cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the script. https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS If you are not satisfied with Mozilla's bundle, you can find google Chrome's list here somewhere: http://src.chromium.org/viewvc/chrome/ All of this may or may not solve your problem. You may need to build your own bundle and include the CAs that you want to trust. Also, one last thing: You can catch more flies with honey than with vinegar= .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimBcxTGj_Fx-s3=k6eGn3DPihHSgQEOidtjQ%2BwN>