SSL is broken on FreeBSD
Brian Reichert
reichert at numachi.com
Fri Apr 1 22:50:37 UTC 2011
On Sat, Apr 02, 2011 at 12:42:04AM +0200, Roberto Nunnari wrote:
> Istv??n wrote:
> >work:
> >
> > without the following error => "verify error:num=20:unable to get local
> >issuer certificate"
>
> Hi.
> It works for me if you correct the sed command and suppress sdterr..
Well, I cleaned that up, too.
That you got this same command to work implies you have a different
set of CAs than I.
His point (someone please correct me, if neccessary) is that without
what he considers a reasonable set of trusted CAs in place, SSL under
FreeBSD is 'broken'.
I interpret this thread now to be a debate of terms 'reasonable'
and 'trusted', and further, who's responsibility is it to populate
that list of CAs on his machine.
> $ uname -rms
> FreeBSD 6.4-RELEASE-p8 i386
> $ openssl s_client -connect 72.21.203.148:443 2>/dev/null < /dev/null |
> sed -ne /-BEGIN\ CERTIFICATE-/,/-END\ CERTIFICATE-/p |openssl x509
> -noout -subject -dates
> subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
> notBefore=Oct 8 00:00:00 2010 GMT
> notAfter=Oct 7 23:59:59 2013 GMT
>
> So, it seems to be just a RexExp error..
>
> Best regards.
> Robi
--
Brian Reichert <reichert at numachi.com>
BSD admin/developer at large
More information about the freebsd-security
mailing list