SSL is broken on FreeBSD
Dan Lukes
dan at obluda.cz
Fri Apr 1 15:19:48 UTC 2011
István wrote:
> FreeBSD ships OpenSSL but it is broken because there is no CA
No. List of trusted CA is list of CAs that you trust to.
It is related to policies of particular CA, the law in the country where
the CA operates, the overall reputation of such CA - and your personal
preferences and paranoia level.
Only you personally can decide what CA is "trustful CA" for you.
Of course, you can accept a list created by someone else if you wish -
you mentioned the security/ca_root_nss
But it's still your personal decision.
Yes, someone's else list may not contain some CAs that you classified as
trusted - and, worse, it may contain some CAs you doesn't consider
trustable. It's your risk when adopting list form an external source and
you should not adopt such kind of list blindly unless the security is
"unimportant" for you.
But back to your problem - the FreeBSD contain NO list of trusted CA and
it SHOULD NOT contain one.
The port security/ca_root_nss is NOT part of operating system - if you
want to change it you need to ask it's author. Or use list prepared by
someone else. Or prepare own list (it's most secure way).
Dan
More information about the freebsd-security
mailing list