SSL is broken on FreeBSD
    Frank J. Cameron 
    cameron at ctc.com
       
    Tue Apr  5 22:48:52 UTC 2011
    
    
  
On Tue, 2011-04-05 at 17:11 -0400, Dmytro Pryanyshnikov wrote:
> Actually, as I can see, just installing the ca_root_nss
> port (even with ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem")
> isn't enough for feeding installed .crt file to 'openssl s_client'
> command:
> 
> dmitry at lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null <
> /dev/null |egrep '^[[:space:]]*Verify return code:'
>     Verify return code: 20 (unable to get local issuer certificate)
> 
> dmitry at lynx$ openssl s_client -CAfile
> /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443
> 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:'
>     Verify return code: 0 (ok)
> 
> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
> be used by the ''openssl s_client" command by default (without -CAfile
> command line argument).
http://curl.haxx.se/mail/archive-2003-07/0036.html
        Unfortunately, the information about this is not in the current 
        OpenSSL documentation. You have to read the source code or 
        see discussion about it in the openssl-dev mailing list. 
        There is a reference to the X509_get_default_cert_file and 
        X509_get_default_cert_file_env in the obsolete ssleay.txt file
        in 
        the OpenSSL document directory, but that is about it. The only 
        references that I know to the SSL_CERT_FILE and SSL_CERT_DIR 
        environment variables (other than in the source code itself)
        are 
        in the old "SSLeay and SSLapps FAQ" which is not distributed
        with 
        OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypto/"). 
        See some correspondence about these defaults in the openssl-dev 
        mailing list in a thread started by me in December 2002 
        (with a fix for the code by Richard Levitte and Rich Salz): 
        "http://marc.theaimsgroup.com/?l=openssl-dev&m=103899056011520" 
        
        The default name for the ca cert bundle is defined in 
        crypto/cryptlib.h, as are the environment variables
        SSL_CERT_FILE and SSL_CERT_DIR.
http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptlib.h
        #define X509_CERT_FILE		OPENSSLDIR "/cert.pem"
http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile
        OPENSSLDIR=/usr/local/ssl
So, should the port be linking?:
	/usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may
contain company sensitive information.  If you are not the
intended recipient, notify the sender immediately and delete
this message.  Publication, reproduction, forwarding, or 
content disclosure is prohibited without the consent of the
original sender and may be unlawful.
Concurrent Technologies Corporation and its Affiliates.
www.ctc.com  1-800-282-4392
------------------------------------------------------------
    
    
More information about the freebsd-security
mailing list