SSL is broken on FreeBSD
Dmytro Pryanyshnikov
lynx.ripe at gmail.com
Tue Apr 5 21:33:57 UTC 2011
Hello!
On Fri, Apr 1, 2011 at 5:33 PM, István <leccine at gmail.com> wrote:
> Could somebody explain to me how is it possible to ship an operating system
> without testing basic functionality like SSL working? Unfortunately the
> problem is still there after installing the following port:
>
> /usr/ports/security/ca_root_nss
>
> openssl s_client -connect 72.21.203.148:443 </dev/null | ...
Hmm, IMHO quite simple question (it's all about OpenSSL application
config) has caused such a big and not-so-relevant discussion (about OS
as a whole) ;) Actually, as I can see, just installing the ca_root_nss
port (even with ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem")
isn't enough for feeding installed .crt file to 'openssl s_client'
command:
dmitry at lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null <
/dev/null |egrep '^[[:space:]]*Verify return code:'
Verify return code: 20 (unable to get local issuer certificate)
dmitry at lynx$ openssl s_client -CAfile
/usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443
2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:'
Verify return code: 0 (ok)
So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
be used by the ''openssl s_client" command by default (without -CAfile
command line argument). Alas, both openssl(1) and s_client(1) lack
FILES section so it's unclear whether default value for -CAfile can be
specified in some configuration file. Moreover, openssl(1) refers to
config(5), but 'man 5 config' tells about the FreeBSD kernel config,
not OpenSSL's one.
But yes, installing security/ca_root_nss port _and_ specifying
'-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your
problem.
--
Sincerely, Dmytro
More information about the freebsd-security
mailing list