SSL is broken on FreeBSD

jhell jhell at DataIX.net
Wed Apr 6 05:45:45 UTC 2011 

On Wed, Apr 06, 2011 at 03:01:30AM +0200, Dan Lukes wrote:
> On 6.4.2011 2:15, Chuck Swiger:
> >>2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default
> >There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role.
> 
> I has been network administrator in bank. Be sure that "instalation
> of a data pack" is very different task that "change security related
> behavior of program that may/will affect all users".
> 
> In the environment you mentioned, e.g. company taking security
> questions seriously, the skilled administrator (and/or security
> officer) will evaluate the situation and will create the link that
> affect all users, if apropriate.
> 
> It will not be interested in blind "automagic" change.
> 
> As I said before. Instalation of CA bundle SHOULD NOT affect all
> users automatically. The "pkg_add" don't know who install such pack
> nor why such pack is installed for so it can't decide the answer.
> 

This is a lost cause, Just to add another .02 bringing the total to
somewhere in the 100's.

If you truss the command above before and after creating so said links
in /usr/local/etc/ssl and in /etc/ssl youll see that there is no default
CAfile or CApath searched for.

s_client(1)
   The s_client command implements a generic SSL/TLS client which
   connects to a remote host using SSL/TLS. It is a very useful
   diagnostic tool for SSL servers
[...]
Maybe there should be an emphasis on ``diagnostic''


Security is not something that should compromised by a default
configuration but something that should be taught by example for the
end-user if they so require it. So with that in mind it might not be
such a bad idea to add a "SSL The FreeBSD way." chapter to the handbook
that would assist in a security researchers final decision to implement
the correct changes they are looking for.


Food for thought.

-- 

  Regards,

  J. Hellenthal
  JJH48-ARIN
  0x89D8547E

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110406/2c959824/attachment.pgp

More information about the freebsd-security mailing list