Date: Tue, 10 Mar 2015 14:23:38 +0000 From: krad <kraduk@gmail.com> To: Florian Heigl <florian.heigl@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Adding a root CA cert on FreeBSD10 Message-ID: <CALfReycU4x25jCaReGgFUnLyQmt48KRJE=iL7XnkyEbg5_iraA@mail.gmail.com> In-Reply-To: <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com> References: <CAFivhP=n1J64DMfgYF8wq7%2B3%2BrA_Lfd-cgWRSXTozf0QTmRTaQ@mail.gmail.com> <CALfReydY9yYT9srfM_mKHtMoNuRLrBGK2bewxuLG8T8RvYCcDQ@mail.gmail.com> <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Anything under local suggests you have installed openssl from ports . You will have to use the one your application is linked to. Check with ldd On 9 Mar 2015 16:28, "Florian Heigl" <florian.heigl@gmail.com> wrote: > Hi, > > thank you a lot! > > I=E2=80=99ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.= 0 > > Do you know / understand the preference between the different directories > on FreeBSD? > I very much like using /etc/ssl/certs but since we also have the > /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really > wonder what the =E2=80=9Cright=E2=80=9D path would be. > > Anyone? > > Florian > > > On 09.03.2015, at 15:12, krad <kraduk@gmail.com> wrote: > > I got mine working fine when i built a transparent ssl proxy. I had to pu= t > all the root certs into /etc/ssl/certs > > The filenames had to be a the hash of the cert though. This can be > generated via the following command > > openssl x509 -noout -hash -in <cert> > > eg > > # openssl x509 -noout -hash -in some_cert > 0810bc98 > # mv some_cert /etc/ssl/certs/0810bc98.o > > > On 8 March 2015 at 18:26, Florian Heigl <florian.heigl@gmail.com> wrote: > >> Hi, >> >> I'm trying to identify how and where to add a trusted root certificate i= n >> FreeBSD10. >> >> Doing so used to be dead easy on FreeBSD until now, just drop them in >> /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. >> This seems to be no longer true? >> >> I'm working with CACert or "private" CAs in many cases, so this is a >> standard thing. Right now I'm pulling my hair how to make it work in >> FreeBSD 10. >> >> What I want: >> - openssl s_client -connect to work >> >> I'm aware different tools are using different methods, but i.e. curl on >> many OS is tamed to respect the openssl CAs so I figure once openssl is >> happy it should be all good. >> But OpenSSL ain't happy: >> >> >> # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verif= y >> depth=3D1 O =3D Root CA, OU =3D http://www.cacert.org, CN =3D CA Cert Si= gning >> Authority, emailAddress =3D support@cacert.org >> verify error:num=3D19:self signed certificate in certificate chain >> verify return:0 >> issuer=3D/O=3DRoot CA/OU=3Dhttp://www.cacert.org/CN=3DCA Cert Signing >> Authority/emailAddress=3Dsupport@cacert.org >> Verify return code: 19 (self signed certificate in certificate chain= ) >> >> I've put the CACert certificates in the following places, to no avail: >> >> /etc/ssl/certs/cacert-class3.crt >> /etc/ssl/certs/cacert-root.crt >> /usr/local/etc/ssl/cacert-root.crt >> /usr/local/etc/ssl/certs/cacert-root.crt >> /usr/local/etc/ssl/certs/cacert-class3.crt >> /usr/local/etc/ssl/cacert-class3.crt >> /usr/local/etc/openssl/cacert-class3.crt >> /usr/local/etc/openssl/cacert-root.crt >> /usr/local/etc/openssl/certs/cacert-class3.crt >> /usr/local/etc/openssl/certs/cacert-root.crt >> >> I've not tried to patch them into the OS-side CA bundles >> like ca_root_nss-3.17.4_1. That would be utterly stupid since they would >> be >> lost on update of the package. >> >> Is there any documentation regarding certs that is _working_ on FreeBSD1= 0? >> I'm so far still inclined the error is on my side, but without current >> documentation it's hard to tell. >> >> >> Florian >> >> >> (I hope we didn't inherit another shitty linux mechanism like hal, >> update-ca-certs or resolvconf to break proven functionality. >> If so, please let me know what it is and I'll gladly open a PR to name i= t >> a >> regression. >> Also, please excuse my lack of enthusiasm, but this has ruined much of m= y >> day meaning the coming week will also be ruined, trying to catch up) >> >> >> >> -- >> the purpose of libvirt is to provide an abstraction layer hiding all xen >> features added since 2006 until they were finally understood and copied = by >> the kvm devs. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReycU4x25jCaReGgFUnLyQmt48KRJE=iL7XnkyEbg5_iraA>