Date: Mon, 10 Nov 2014 14:19:37 -0600 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-net@freebsd.org Subject: SSL certificate check error ... Message-ID: <54611DD9.2060107@shrew.net>
next in thread | raw e-mail | index | archive | help
All, I am seeing a problem with certificate checking on several stock FreeBSD 10.0-RELEASE-p12 hosts using the base openssl. The ca_root_nss-3.17.2 package is installed with the option to create the symlink in /etc/ssl enabled ... # ls -la /etc/ssl total 20 drwxr-xr-x 2 root wheel 512 Nov 10 13:25 . drwxr-xr-x 21 root wheel 2048 Oct 28 23:45 .. lrwxr-xr-x 1 root wheel 38 Nov 10 13:24 cert.pem -> /usr/local/share/certs/ca-root-nss.crt -rw-r--r-- 1 root wheel 10929 Jan 16 2014 openssl.cnf When I try to run s_client as a test to www.google.com, I see "Verify return code: 20 (unable to get local issuer certificate)" ... # openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd 1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6 lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1 Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8 ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH 6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3719 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 9890FB78A01C235769387820574E847C0F76E80DBDC867D6EC5D4422B944E956 Session-ID-ctx: Master-Key: 86B4E5CBDC553D8740C462194E9244870D2468C8A736097CD467EF7461EE0ACF3D96C581EF6F68AF62218B451BBA03D7 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02 ...k...\..D^.... 0010 - 3b b3 56 cf 98 b5 72 4f-82 fe 6a 7a 44 2f b7 24 ;.V...rO..jzD/.$ 0020 - 7c 23 57 f9 36 94 d6 83-54 21 dc 10 a2 df ac 43 |#W.6...T!.....C 0030 - 1b 8b b0 9e b3 b0 d8 e8-7a 0a d0 b2 55 8e 96 0d ........z...U... 0040 - 3c ff d2 af 65 ea c7 69-1b a4 bb 04 f2 73 c2 a8 <...e..i.....s.. 0050 - 6c b9 0d 54 cb 50 f2 5e-fc a8 0a 5a ec 4d 10 c6 l..T.P.^...Z.M.. 0060 - 34 f1 3b cb 14 96 f8 0f-1d 75 bd c6 56 61 73 64 4.;......u..Vasd 0070 - 98 55 c5 24 18 43 e7 58-cc 2f 50 35 03 14 de c5 .U.$.C.X./P5.... 0080 - d7 12 5b 58 6d 6e 6f 7c-61 78 40 1a 02 66 31 94 ..[Xmno|ax@..f1. 0090 - 6d a0 fb 7c 36 aa 4c d2-38 9c dd 89 f9 5c 4a 62 m..|6.L.8....\Jb 00a0 - f6 f7 e0 24 ...$ Start Time: 1415648696 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- ... but when I explicitly specify the path to /etc/ssl/cert.pem, it works fine ... # openssl s_client -CApath /etc/ssl/cert.pem -connect www.google.com:443 CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd 1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6 lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1 Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8 ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH 6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3719 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 9DD76F7AC8D34085E2B230CA02B955D3A35482C5AD983CD43A0AF65EDDF0905B Session-ID-ctx: Master-Key: FCF5D6AB32816ABD660AB744386531308C3F3203BBB61EB8273A5783DDE92B04C87ADA3DB12C87092BB7BE21CFAD3CCA Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02 ...k...\..D^.... 0010 - 63 64 66 84 cd c8 07 dc-69 64 6f ff 69 05 99 a0 cdf.....ido.i... 0020 - f4 d7 00 1a 3c 36 41 61-70 5b b4 79 2c 45 c1 3b ....<6Aap[.y,E.; 0030 - 6d 5e 13 77 09 3f f8 35-f5 e4 92 ae ce c8 f9 7b m^.w.?.5.......{ 0040 - ca 6e 49 94 cd 19 51 89-a3 f4 32 64 a6 a5 27 66 .nI...Q...2d..'f 0050 - 96 d1 f0 c6 7b a6 07 20-7b 35 d9 0b f7 f1 8c a5 ....{.. {5...... 0060 - e7 58 1d 0c b3 86 12 d6-86 49 4c 7d 31 c5 1a b6 .X.......IL}1... 0070 - 3f 7a 8a b5 e5 da 63 a3-f2 2b ee f3 ae 20 3d 1a ?z....c..+... =. 0080 - fd d7 d7 af f8 db 11 73-eb 3a 9b cb 41 a9 be 5c .......s.:..A..\ 0090 - ec cc 65 1f 3c 13 a7 57-92 a5 cc d9 39 05 41 9d ..e.<..W....9.A. 00a0 - 9c 3f 94 d8 .?.. Start Time: 1415648909 Timeout : 300 (sec) Verify return code: 0 (ok) --- Also, if I run the commands under truss I see that the file /etc/ssl/cert.pem is not being opened when I do not specify the option on the command line ... # truss openssl s_client -connect www.google.com:443 ... open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or directory' open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or directory' open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0 (0x0) read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1) read(3,0x80186e000,32768) = 0 (0x0) close(3) = 0 (0x0) sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t }) = 0 (0x0) issetugid(0x7fffffffd2c0,0xc8,0x1,0x7fffffffd538,0x0,0x800c82648) = 0 (0x0) issetugid(0x7fffffffdf5a,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0) stat("/root/.rnd",0x7fffffffce08) ERR#2 'No such file or directory' getpid() = 16324 (0x3fc4) __sysctl(0x7fffffffd1c8,0x2,0x7fffffffd128,0x7fffffffd1c0,0x0,0x0) = 0 (0x0) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) getpid() = 16324 (0x3fc4) issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0) open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0) read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23) read(3,0x8018b3000,32768) = 0 (0x0) close(3) = 0 (0x0) issetugid(0x0,0x8018009c0,0x14,0x3,0x7fffffffc2b0,0x801801068) = 0 (0x0) stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0) open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3) ioctl(3,TIOCGETA,0xffffca80) ERR#25 'Inappropriate ioctl for device' fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0) read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144) read(3,0x8018b3000,32768) = 0 (0x0) ... and it is being opened when I do specify the option on the command line ... # truss openssl s_client -CApath /etc/ssl/cert.pem -connect www.google.com:443 ... open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or directory' open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or directory' open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0 (0x0) read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1) read(3,0x80186e000,32768) = 0 (0x0) close(3) = 0 (0x0) sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t }) = 0 (0x0) issetugid(0x7fffffffd290,0xc8,0x1,0x7fffffffd508,0x0,0x800c82648) = 0 (0x0) issetugid(0x7fffffffdf5c,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0) stat("/root/.rnd",0x7fffffffcdd8) ERR#2 'No such file or directory' getpid() = 16371 (0x3ff3) __sysctl(0x7fffffffd198,0x2,0x7fffffffd0f8,0x7fffffffd190,0x0,0x0) = 0 (0x0) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) getpid() = 16371 (0x3ff3) open("/etc/ssl/cert.pem",O_RDONLY,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=1052618,size=908574,blksize=32768 }) = 0 (0x0) read(3,"##\n## ca-root-nss.crt -- Bundl"...,32768) = 32768 (0x8000) madvise(0x80186a000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x8018a1000,0x4000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x8018ac000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x8018bc000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x8018cd000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x8018df000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x801900000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10) = 0 (0x0) madvise(0x801875000,0x1000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10) = 0 (0x0) madvise(0x801887000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10) = 0 (0x0) read(3," 42:68:ac:a0:bd:4e:5a:da:18:bf:6"...,32768) = 32768 (0x8000) read(3,":9a:9b:bb:\n "...,32768) = 32768 (0x8000) read(3," 17:7d:a0:f9:b4:dd:c5:c5:eb"...,32768) = 32768 (0x8000) madvise(0x8018ba000,0x6000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) = 0 (0x0) madvise(0x8018f1000,0xc000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) = 0 (0x0) madvise(0x80190e000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) = 0 (0x0) madvise(0x801921000,0x5000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) = 0 (0x0) madvise(0x801936000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10) = 0 (0x0) read(3,"c Constraints: critical\n "...,32768) = 32768 (0x8000) read(3,"DYu5Def131TN3ubY1gkIl2PlwS6w\nt0"...,32768) = 32768 (0x8000) read(3,"\nxvbxrN8y8NmBGuScvfaAFPDRLLmF9d"...,32768) = 32768 (0x8000) read(3,"f:1f:31:9c:\n "...,32768) = 32768 (0x8000) read(3,"igiCert Inc, OU=www.digicert.com"...,32768) = 32768 (0x8000) read(3,"93:36:85:23:88:8a:3c:03:68:d3:c9"...,32768) = 32768 (0x8000) read(3,"orzAzu8T2bgmmkTPiab+ci2hC6X5L8GC"...,32768) = 32768 (0x8000) read(3,"2zsmWLIodz2uFHdh\n1voqZiegDfqnc1"...,32768) = 32768 (0x8000) read(3,"hUNfBvitbtaSeodlyWL0AG0y/YckUHUW"...,32768) = 32768 (0x8000) read(3," CA:TRUE\n Signatu"...,32768) = 32768 (0x8000) read(3,":22:d7:8b:0b:\n "...,32768) = 32768 (0x8000) read(3," 6b:53:7f:db:df:df:f3:71:3d:26:"...,32768) = 32768 (0x8000) read(3,"f:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:"...,32768) = 32768 (0x8000) read(3,":57:d2:b0:0a:\n "...,32768) = 32768 (0x8000) read(3," X509v3 CRL Distribution Po"...,32768) = 32768 (0x8000) read(3,"60:45:f2:31:eb:a9:31:\n "...,32768) = 32768 (0x8000) read(3,"4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQ"...,32768) = 32768 (0x8000) read(3,"9:28:a7:\n 2e"...,32768) = 32768 (0x8000) read(3,"A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/"...,32768) = 32768 (0x8000) read(3,"4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3G"...,32768) = 32768 (0x8000) read(3,"QUFADCBvjE/MD0GA1UEAww2VMOc\nUkt"...,32768) = 32768 (0x8000) read(3,"dq6hw2v+vPhwvCkxWeM\n1tZUOt4KpLo"...,32768) = 32768 (0x8000) read(3," Exponent: 65537 (0x10001"...,32768) = 32768 (0x8000) read(3,":35:88:67:74:57:e3:df:8c:b8:a7:7"...,32768) = 23838 (0x5d1e) read(3,0x801899000,32768) = 0 (0x0) close(3) = 0 (0x0) getpid() = 16371 (0x3ff3) issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0) open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0) read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23) read(3,0x801931000,32768) = 0 (0x0) close(3) = 0 (0x0) issetugid(0x0,0x801801cf8,0x33,0x3,0x7fffffffc280,0x801801c38) = 0 (0x0) stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0) open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3) ioctl(3,TIOCGETA,0xffffca50) ERR#25 'Inappropriate ioctl for device' fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0) read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144) read(3,0x801931000,32768) = 0 (0x0) This is the only copy of openssl on my system ... # whereis openssl openssl: /usr/bin/openssl /usr/share/openssl/man/man1/openssl.1.gz Did something change with the FreeBSD 10 configuration of OpenSSL? At first I thought it was a problem with this particular host, but I've been able to reproduce the problem on 3 different 10.x hosts I've tested so far. I don't see how an unmodified program will pickup the default system CA file unless that problem has an option to explicitly hand in the path. Was this intended? Thanks in advance, -Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54611DD9.2060107>