OpenSSL Certificate issue

Greg Larkin glarkin at FreeBSD.org
Thu Jan 10 19:07:06 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/10/13 1:38 PM, Paul Kraus wrote:
>> On 1/10/13 12:49 PM, Paul Kraus wrote:
>>> On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote:
>>> 
>>>> It looks like you don't have the Gmail certificate installed
>>>>  locally, unless I'm mistaken.
>>> 
>>> I do not need to have the Google cert installed as long as I 
>>> have the Root Cert that signed it installed, and I do have
>>> that cert. The fact that I can point to the certificate file
>>> itself and the test connection works fine shows that I have
>>> the correct cert file. I agree that it is probably NOT
>>> installed correctly, but ...
>>> 
>>>> Check the instructions here, and let us know if that fixes 
>>>> the problem for you: 
>>>> http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/
>>>
>>>>
>>>
>>>>
>>>> 
these instructions appear to be for Linux and not FreeBSD and there
>>> are configuration and path differences, which is probably the 
>>> core of my problem. I expect that I have not installed the
>>> root certs into the correct directory (but they are in the
>>> directory that c_rehash is working in).
>>> 
>>> 
>> 
>> My guess is that you're using the c_rehash supplied with OpenSSL 
>> 1.x (installed as a port?) to hash the certs and then the
>> OpenSSL 0.9.x binary from the base system to connect to the Gmail
>> POP server.
>> 
>> Give your s_client command another try with the fully specified 
>> path to the OpenSSL 1.x binary to see if that corrects the 
>> verification error.
> 
> That appears to be the problem, using /usr/local/bin/openssl
> works, but I still need to know where the base system needs to have
> the certs placed (and how to hash them as the only c_rehash script
> is the one that came with the port of openssl) ? There are a number
> of utilities (most important here is fetchmail) which is using the 
> base opensssl libraries.
> 
> NOTE: I did not explicitly install the openssl port, it must have 
> been brought in as a dependency by another port.
> 

I put the certs for my test in /etc/ssl/certs when using the base
system openssl and in /usr/local/openssl/certs when using the openssl
port.

c_rehash uses a specific openssl binary when invoked like so:

env OPENSSL=/usr/bin/openssl c_rehash /etc/ssl/certs

You can set the OPENSSL and SSL_CERT_DIR environment variables
permanently, and that would ensure everything is consistent going
forward, even if the openssl port is present.

Regards,
Greg

- -- 
Greg Larkin

http://www.FreeBSD.org/           - The Power To Serve
http://www.sourcehosting.net/     - Ready. Set. Code.
http://twitter.com/cpucycle/      - Follow you, follow me
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDvEVIACgkQ0sRouByUApB3KQCfcwYrixZv0Fd78d15zQdgwjCI
DowAoLcv8jNxOufJPx26F6A2dZeMeCz/
=EIv4
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list