SSL is broken on FreeBSD
Robert Simmons
rsimmons0 at gmail.com
Fri Apr 1 16:56:44 UTC 2011
On Fri, Apr 1, 2011 at 10:33 AM, István <leccine at gmail.com> wrote:
> Could somebody explain to me how is it possible to ship an operating system
> without testing basic functionality like SSL working? Unfortunately the
> problem is still there after installing the following port:
>
> /usr/ports/security/ca_root_nss
OpenSSL works just fine for me. I am using it on an internal network
with a CA that I created myself. That is the only CA that I want to
trust, since all the servers that I'm using are signed by it and only
it. I've manually added it to the CA lists here. That way, I can add
a new server create a cert for it, sign it, and profit immediately.
There are no CAs by default in FreeBSD because that's the way it
should be. I would have had to remove all of them. As the FAQ for
OpenSSL states: "The OpenSSL software is shipped without any root CA
certificate as the OpenSSL project does not have any policy on
including or excluding any specific CA and does not intend to set up
such a policy. Deciding about which CAs to support is up to
application developers or administrators."
(http://www.openssl.org/support/faq.html#USER16)
Now, you are also not satisfied with the CA bundle in the ports
collection because it does not contain the CA that you need. I'm not
sure which one it is that you need. But a good place to start is
here:
http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
That contains a perl script for extracting the CA bundle from
Mozilla's CVS. At first glance, it may frustrate you, because it may
not be obvoius where it connects to (that info is obscured). However,
look at the following help file. It has all the connection details
for mozilla's cvsroot that you will need. Just substitute the
"anonymous at cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the
script.
https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS
If you are not satisfied with Mozilla's bundle, you can find google
Chrome's list here somewhere:
http://src.chromium.org/viewvc/chrome/
All of this may or may not solve your problem. You may need to build
your own bundle and include the CAs that you want to trust.
Also, one last thing: You can catch more flies with honey than with vinegar.
More information about the freebsd-security
mailing list