Date: Tue, 05 Apr 2011 18:30:12 -0400 From: "Frank J. Cameron" <cameron@ctc.com> To: Dmytro Pryanyshnikov <lynx.ripe@gmail.com> Cc: =?ISO-8859-1?Q?Istv=E1n?= <leccine@gmail.com>, freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <1302042612.3271.100.camel@linux116.ctc.com> In-Reply-To: <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2011-04-05 at 17:11 -0400, Dmytro Pryanyshnikov wrote: > Actually, as I can see, just installing the ca_root_nss > port (even with ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem") > isn't enough for feeding installed .crt file to 'openssl s_client' > command: > > dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null < > /dev/null |egrep '^[[:space:]]*Verify return code:' > Verify return code: 20 (unable to get local issuer certificate) > > dmitry@lynx$ openssl s_client -CAfile > /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443 > 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' > Verify return code: 0 (ok) > > So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to > be used by the ''openssl s_client" command by default (without -CAfile > command line argument). http://curl.haxx.se/mail/archive-2003-07/0036.html Unfortunately, the information about this is not in the current OpenSSL documentation. You have to read the source code or see discussion about it in the openssl-dev mailing list. There is a reference to the X509_get_default_cert_file and X509_get_default_cert_file_env in the obsolete ssleay.txt file in the OpenSSL document directory, but that is about it. The only references that I know to the SSL_CERT_FILE and SSL_CERT_DIR environment variables (other than in the source code itself) are in the old "SSLeay and SSLapps FAQ" which is not distributed with OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypto/"). See some correspondence about these defaults in the openssl-dev mailing list in a thread started by me in December 2002 (with a fix for the code by Richard Levitte and Rich Salz): "http://marc.theaimsgroup.com/?l=openssl-dev&m=103899056011520" The default name for the ca cert bundle is defined in crypto/cryptlib.h, as are the environment variables SSL_CERT_FILE and SSL_CERT_DIR. http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptlib.h #define X509_CERT_FILE OPENSSLDIR "/cert.pem" http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile OPENSSLDIR=/usr/local/ssl So, should the port be linking?: /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt ------------------------------------------------------------ This message and any files transmitted within are intended solely for the addressee or its representative and may contain company sensitive information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1302042612.3271.100.camel>