SSL certificate check error ...
Matthew Grooms
mgrooms at shrew.net
Mon Nov 10 20:43:14 UTC 2014
All,
I am seeing a problem with certificate checking on several stock FreeBSD
10.0-RELEASE-p12 hosts using the base openssl. The ca_root_nss-3.17.2
package is installed with the option to create the symlink in /etc/ssl
enabled ...
# ls -la /etc/ssl
total 20
drwxr-xr-x 2 root wheel 512 Nov 10 13:25 .
drwxr-xr-x 21 root wheel 2048 Oct 28 23:45 ..
lrwxr-xr-x 1 root wheel 38 Nov 10 13:24 cert.pem ->
/usr/local/share/certs/ca-root-nss.crt
-rw-r--r-- 1 root wheel 10929 Jan 16 2014 openssl.cnf
When I try to run s_client as a test to www.google.com, I see "Verify
return code: 20 (unable to get local issuer certificate)" ...
# openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR
OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd
1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6
lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu
A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1
Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym
pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew
mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8
ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K
gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH
6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG
TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3719 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
9890FB78A01C235769387820574E847C0F76E80DBDC867D6EC5D4422B944E956
Session-ID-ctx:
Master-Key:
86B4E5CBDC553D8740C462194E9244870D2468C8A736097CD467EF7461EE0ACF3D96C581EF6F68AF62218B451BBA03D7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02 ...k...\..D^....
0010 - 3b b3 56 cf 98 b5 72 4f-82 fe 6a 7a 44 2f b7 24 ;.V...rO..jzD/.$
0020 - 7c 23 57 f9 36 94 d6 83-54 21 dc 10 a2 df ac 43 |#W.6...T!.....C
0030 - 1b 8b b0 9e b3 b0 d8 e8-7a 0a d0 b2 55 8e 96 0d ........z...U...
0040 - 3c ff d2 af 65 ea c7 69-1b a4 bb 04 f2 73 c2 a8 <...e..i.....s..
0050 - 6c b9 0d 54 cb 50 f2 5e-fc a8 0a 5a ec 4d 10 c6 l..T.P.^...Z.M..
0060 - 34 f1 3b cb 14 96 f8 0f-1d 75 bd c6 56 61 73 64 4.;......u..Vasd
0070 - 98 55 c5 24 18 43 e7 58-cc 2f 50 35 03 14 de c5 .U.$.C.X./P5....
0080 - d7 12 5b 58 6d 6e 6f 7c-61 78 40 1a 02 66 31 94 ..[Xmno|ax at ..f1.
0090 - 6d a0 fb 7c 36 aa 4c d2-38 9c dd 89 f9 5c 4a 62 m..|6.L.8....\Jb
00a0 - f6 f7 e0 24 ...$
Start Time: 1415648696
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
... but when I explicitly specify the path to /etc/ssl/cert.pem, it
works fine ...
# openssl s_client -CApath /etc/ssl/cert.pem -connect www.google.com:443
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN =
www.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR
OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd
1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6
lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu
A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1
Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym
pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew
mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8
ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K
gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH
6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG
TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3719 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
9DD76F7AC8D34085E2B230CA02B955D3A35482C5AD983CD43A0AF65EDDF0905B
Session-ID-ctx:
Master-Key:
FCF5D6AB32816ABD660AB744386531308C3F3203BBB61EB8273A5783DDE92B04C87ADA3DB12C87092BB7BE21CFAD3CCA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02 ...k...\..D^....
0010 - 63 64 66 84 cd c8 07 dc-69 64 6f ff 69 05 99 a0 cdf.....ido.i...
0020 - f4 d7 00 1a 3c 36 41 61-70 5b b4 79 2c 45 c1 3b ....<6Aap[.y,E.;
0030 - 6d 5e 13 77 09 3f f8 35-f5 e4 92 ae ce c8 f9 7b m^.w.?.5.......{
0040 - ca 6e 49 94 cd 19 51 89-a3 f4 32 64 a6 a5 27 66 .nI...Q...2d..'f
0050 - 96 d1 f0 c6 7b a6 07 20-7b 35 d9 0b f7 f1 8c a5 ....{..
{5......
0060 - e7 58 1d 0c b3 86 12 d6-86 49 4c 7d 31 c5 1a b6 .X.......IL}1...
0070 - 3f 7a 8a b5 e5 da 63 a3-f2 2b ee f3 ae 20 3d 1a ?z....c..+... =.
0080 - fd d7 d7 af f8 db 11 73-eb 3a 9b cb 41 a9 be 5c .......s.:..A..\
0090 - ec cc 65 1f 3c 13 a7 57-92 a5 cc d9 39 05 41 9d ..e.<..W....9.A.
00a0 - 9c 3f 94 d8 .?..
Start Time: 1415648909
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Also, if I run the commands under truss I see that the file
/etc/ssl/cert.pem is not being opened when I do not specify the option
on the command line ...
# truss openssl s_client -connect www.google.com:443
...
open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
directory'
open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
directory'
open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3)
fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0
(0x0)
read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1)
read(3,0x80186e000,32768) = 0 (0x0)
close(3) = 0 (0x0)
sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t
}) = 0 (0x0)
issetugid(0x7fffffffd2c0,0xc8,0x1,0x7fffffffd538,0x0,0x800c82648) = 0 (0x0)
issetugid(0x7fffffffdf5a,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0)
stat("/root/.rnd",0x7fffffffce08) ERR#2 'No such file or
directory'
getpid() = 16324 (0x3fc4)
__sysctl(0x7fffffffd1c8,0x2,0x7fffffffd128,0x7fffffffd1c0,0x0,0x0) = 0 (0x0)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
getpid() = 16324 (0x3fc4)
issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0)
open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3)
fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0)
read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23)
read(3,0x8018b3000,32768) = 0 (0x0)
close(3) = 0 (0x0)
issetugid(0x0,0x8018009c0,0x14,0x3,0x7fffffffc2b0,0x801801068) = 0 (0x0)
stat("/etc/nsswitch.conf",{ mode=-rw-r--r--
,inode=1123624,size=324,blksize=32768 }) = 0 (0x0)
open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3)
ioctl(3,TIOCGETA,0xffffca80) ERR#25 'Inappropriate
ioctl for device'
fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0)
read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144)
read(3,0x8018b3000,32768) = 0 (0x0)
... and it is being opened when I do specify the option on the command
line ...
# truss openssl s_client -CApath /etc/ssl/cert.pem -connect
www.google.com:443
...
open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
directory'
open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
directory'
open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3)
fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0
(0x0)
read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1)
read(3,0x80186e000,32768) = 0 (0x0)
close(3) = 0 (0x0)
sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t
}) = 0 (0x0)
issetugid(0x7fffffffd290,0xc8,0x1,0x7fffffffd508,0x0,0x800c82648) = 0 (0x0)
issetugid(0x7fffffffdf5c,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0)
stat("/root/.rnd",0x7fffffffcdd8) ERR#2 'No such file or
directory'
getpid() = 16371 (0x3ff3)
__sysctl(0x7fffffffd198,0x2,0x7fffffffd0f8,0x7fffffffd190,0x0,0x0) = 0 (0x0)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
getpid() = 16371 (0x3ff3)
open("/etc/ssl/cert.pem",O_RDONLY,0666) = 3 (0x3)
fstat(3,{ mode=-rw-r--r-- ,inode=1052618,size=908574,blksize=32768 }) =
0 (0x0)
read(3,"##\n## ca-root-nss.crt -- Bundl"...,32768) = 32768 (0x8000)
madvise(0x80186a000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x8018a1000,0x4000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x8018ac000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x8018bc000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x8018cd000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x8018df000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x801900000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
= 0 (0x0)
madvise(0x801875000,0x1000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10)
= 0 (0x0)
madvise(0x801887000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10)
= 0 (0x0)
read(3," 42:68:ac:a0:bd:4e:5a:da:18:bf:6"...,32768) = 32768 (0x8000)
read(3,":9a:9b:bb:\n "...,32768) = 32768 (0x8000)
read(3," 17:7d:a0:f9:b4:dd:c5:c5:eb"...,32768) = 32768 (0x8000)
madvise(0x8018ba000,0x6000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
= 0 (0x0)
madvise(0x8018f1000,0xc000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
= 0 (0x0)
madvise(0x80190e000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
= 0 (0x0)
madvise(0x801921000,0x5000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
= 0 (0x0)
madvise(0x801936000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
= 0 (0x0)
read(3,"c Constraints: critical\n "...,32768) = 32768 (0x8000)
read(3,"DYu5Def131TN3ubY1gkIl2PlwS6w\nt0"...,32768) = 32768 (0x8000)
read(3,"\nxvbxrN8y8NmBGuScvfaAFPDRLLmF9d"...,32768) = 32768 (0x8000)
read(3,"f:1f:31:9c:\n "...,32768) = 32768 (0x8000)
read(3,"igiCert Inc, OU=www.digicert.com"...,32768) = 32768 (0x8000)
read(3,"93:36:85:23:88:8a:3c:03:68:d3:c9"...,32768) = 32768 (0x8000)
read(3,"orzAzu8T2bgmmkTPiab+ci2hC6X5L8GC"...,32768) = 32768 (0x8000)
read(3,"2zsmWLIodz2uFHdh\n1voqZiegDfqnc1"...,32768) = 32768 (0x8000)
read(3,"hUNfBvitbtaSeodlyWL0AG0y/YckUHUW"...,32768) = 32768 (0x8000)
read(3," CA:TRUE\n Signatu"...,32768) = 32768 (0x8000)
read(3,":22:d7:8b:0b:\n "...,32768) = 32768 (0x8000)
read(3," 6b:53:7f:db:df:df:f3:71:3d:26:"...,32768) = 32768 (0x8000)
read(3,"f:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:"...,32768) = 32768 (0x8000)
read(3,":57:d2:b0:0a:\n "...,32768) = 32768 (0x8000)
read(3," X509v3 CRL Distribution Po"...,32768) = 32768 (0x8000)
read(3,"60:45:f2:31:eb:a9:31:\n "...,32768) = 32768 (0x8000)
read(3,"4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQ"...,32768) = 32768 (0x8000)
read(3,"9:28:a7:\n 2e"...,32768) = 32768 (0x8000)
read(3,"A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/"...,32768) = 32768 (0x8000)
read(3,"4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3G"...,32768) = 32768 (0x8000)
read(3,"QUFADCBvjE/MD0GA1UEAww2VMOc\nUkt"...,32768) = 32768 (0x8000)
read(3,"dq6hw2v+vPhwvCkxWeM\n1tZUOt4KpLo"...,32768) = 32768 (0x8000)
read(3," Exponent: 65537 (0x10001"...,32768) = 32768 (0x8000)
read(3,":35:88:67:74:57:e3:df:8c:b8:a7:7"...,32768) = 23838 (0x5d1e)
read(3,0x801899000,32768) = 0 (0x0)
close(3) = 0 (0x0)
getpid() = 16371 (0x3ff3)
issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0)
open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3)
fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0)
read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23)
read(3,0x801931000,32768) = 0 (0x0)
close(3) = 0 (0x0)
issetugid(0x0,0x801801cf8,0x33,0x3,0x7fffffffc280,0x801801c38) = 0 (0x0)
stat("/etc/nsswitch.conf",{ mode=-rw-r--r--
,inode=1123624,size=324,blksize=32768 }) = 0 (0x0)
open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3)
ioctl(3,TIOCGETA,0xffffca50) ERR#25 'Inappropriate
ioctl for device'
fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0)
read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144)
read(3,0x801931000,32768) = 0 (0x0)
This is the only copy of openssl on my system ...
# whereis openssl
openssl: /usr/bin/openssl /usr/share/openssl/man/man1/openssl.1.gz
Did something change with the FreeBSD 10 configuration of OpenSSL? At
first I thought it was a problem with this particular host, but I've
been able to reproduce the problem on 3 different 10.x hosts I've tested
so far. I don't see how an unmodified program will pickup the default
system CA file unless that problem has an option to explicitly hand in
the path. Was this intended?
Thanks in advance,
-Matthew
More information about the freebsd-net
mailing list