[OpenSSL] /etc/ssl/cert.pem not honoured by default

Matthew Seaman matthew at freebsd.org
Fri Dec 18 12:25:45 UTC 2015 

On 12/18/15 11:41, rhi wrote:
> Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I
> get OpenSSL to use it by default?

Is that the ports or the base version of openssl?  I can recreate your
results with the base openssl, but everything works as expected with the
ports version:

:# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com
-port 443
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000004)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
[...]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5119 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002
    Session-ID-ctx:
    Master-Key:
4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B4450FDA6EDD02063A8914A056
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb
..%$.,.p7lq..Fu.
    0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7
_P.,X.r....`.T..
    0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89
\,.>...w.....|9.
    0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb
....._.....w'...
    0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc   .4..Z6x.
..h....
    0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d
^..y^..f.5...q..
    0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4   .*Ja.Z[.f
....U.
    0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef
)L..5..S........
    0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19
.v....b#.J.m../.
    0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98
...!.<.NOp..V ..
    00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24
e..l...8...%X".$

    Start Time: 1450441132
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C

Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route to
crypto happiness in the ports.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151218/307017fd/attachment.sig>

More information about the freebsd-security mailing list