Date: Fri, 01 Apr 2011 17:18:02 +0200 From: Dan Lukes <dan@obluda.cz> To: =?UTF-8?B?SXN0dsOhbg==?= <leccine@gmail.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <4D95ECAA.20406@obluda.cz> In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
István wrote: > FreeBSD ships OpenSSL but it is broken because there is no CA No. List of trusted CA is list of CAs that you trust to. It is related to policies of particular CA, the law in the country where the CA operates, the overall reputation of such CA - and your personal preferences and paranoia level. Only you personally can decide what CA is "trustful CA" for you. Of course, you can accept a list created by someone else if you wish - you mentioned the security/ca_root_nss But it's still your personal decision. Yes, someone's else list may not contain some CAs that you classified as trusted - and, worse, it may contain some CAs you doesn't consider trustable. It's your risk when adopting list form an external source and you should not adopt such kind of list blindly unless the security is "unimportant" for you. But back to your problem - the FreeBSD contain NO list of trusted CA and it SHOULD NOT contain one. The port security/ca_root_nss is NOT part of operating system - if you want to change it you need to ask it's author. Or use list prepared by someone else. Or prepare own list (it's most secure way). Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D95ECAA.20406>