SSL is broken on FreeBSD
Dan Lukes
dan at obluda.cz
Wed Apr 6 00:00:03 UTC 2011
On 04/06/11 00:30, Frank J. Cameron:
> The default name for the ca cert bundle is defined in
> crypto/cryptlib.h, as are the environment variables
> SSL_CERT_FILE and SSL_CERT_DIR.
May be. But as far as I know those variables doesn't affect the s_client
application.
> So, should the port be linking?:
> /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
Even in the case I'm not true and there IS "implicit -CApath" then my
answer to your question is "No".
1. Installation of ca-root-nss.crt doesn't mean it's installed for use
with openssl. So we should not affect the openssl behavior automatically.
2. Such link will affect all users of system. Decision "what CA is
trustful" should remain personal decision, not the system administrator
decision, by default. Installation of ca-root-nss should not hit all
users of system automatically.
Dan
More information about the freebsd-security
mailing list