HEADS UP: ca_root_nss seems to trip up OpenSSL on FreeBSD 7.3

Jerry jerry at seibercom.net
Wed Sep 7 10:18:29 UTC 2011 

On Wed, 07 Sep 2011 01:04:38 +0200
Matthias Andree articulated:

> Greetings,
> 
> apparently the new /etc/ssl/cert.pem file installed by
> security/ca_root_nss trips up the OpenSSL 0.9.8e in the 7.3-RELEASE
> base system. I haven't tested 7.4, 8.1 or 8.2, 8-STABLE is unaffected
> by the problem.
> 
> The symptom is that some certificate chains that validate properly on
> OpenSSL under FreeBSD 8-STABLE, fail to validate on 7.3. OpenSSL
> claims that the root certificate weren't trusted.
> 
> Manually editing the cert.pem file to reorder Entrust certificates up
> front in reverse order helps according to Doug's findings, but chances
> are that this breaks recognition of other root certificates in
> exchange.
> 
> This is also extremely hard to test because we can't possibly find
> enough sites to cover for all 150+ trust anchors that the ca_root_nss
> ports provides.
> 
> Doug and I have been trying to debug this earlier today, to no avail
> yet.  The current suspicion is "bug in OpenSSL when reading
> certificate bundles, and that bug got fixed between 0.9.8e and 0.9.8q
> (possibly 0.9.8n)" -- note though that the order of certificates in a
> bundle file is not supposed to make any difference.
> 
> If someone has any insights, that will be much appreciated.
> 
> (Doug feel free to polish this text and re-post if it turned out to be
> incomprehensible. ;-))

The base system's version of "openssl" is old. Using the ports
version, "OpenSSL 1.0.0d 8 Feb 2011" is in my opinion the proper way to
correct this problem. Why the base system's version has not been
updated to reflect the current version is something that I would love
to ask; however, the usual members of the peanut gallery would only
spew the usual company propaganda, "bla bla bla" and "bla bla bla",
and I am not really in the mood to listen to it.

Seriously, update to the current "port" version and the problem is
solved. There use to be several programs that were not compatible with
the "port's" version a few years ago; however, I believe I vetted those
out and was instrumental in getting them corrected. In any case, this
is an easy "fix".

-- 
Jerry ✌
jerry+ports at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
The bigger the theory the better.

More information about the freebsd-ports mailing list