SSL is broken on FreeBSD
David E. Thiel
lx at FreeBSD.org
Mon Apr 4 19:35:46 UTC 2011
On Fri, Apr 01, 2011 at 03:32:51PM +0100, István wrote:
> FreeBSD ships OpenSSL but it is broken because there is no CA. Right,
> it is like shipping a car without wheels, I suppose.
While I agree somewhat with your sentiment, SSL is not necessarily
broken without CA certificates, as it's completely possible to do TOFU
verification ala SSH.
However, I think it's an appropriate time to mention again that there is
at least one place in base that does indeed have broken SSL support,
namely libfetch. To do SSL properly, you can do CA certificate
verification or you can do TOFU, but libfetch still accepts any
certificate it encounters, without user warning.
More information about the freebsd-security
mailing list