SSL is broken on FreeBSD
Brooks Davis
brooks at freebsd.org
Fri Apr 1 22:49:34 UTC 2011
On Fri, Apr 01, 2011 at 12:33:30PM -0400, Robert Simmons wrote:
> Now, you are also not satisfied with the CA bundle in the ports
> collection because it does not contain the CA that you need. I'm not
> sure which one it is that you need. But a good place to start is
> here:
> http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
>
> That contains a perl script for extracting the CA bundle from
> Mozilla's CVS. At first glance, it may frustrate you, because it may
> not be obvoius where it connects to (that info is obscured). However,
> look at the following help file. It has all the connection details
> for mozilla's cvsroot that you will need. Just substitute the
> "anonymous at cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the
> script.
> https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS
The point of security/ca_root_nss is that it is exactly the set of
certs trusted by Mozilla (via the nss library) via the mechanism
described above. The FreeBSD Project makes no warranty that it is a
good set to trust. It just happens to be a set that is widely trusted.
> If you are not satisfied with Mozilla's bundle, you can find google
> Chrome's list here somewhere:
> http://src.chromium.org/viewvc/chrome/
We might actually want to maintain a port of those as well if they
differ in any meaningful way.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110401/642a0a80/attachment.pgp
More information about the freebsd-security
mailing list