SSL is broken on FreeBSD

Scot Hetzel swhetzel at gmail.com
Wed Apr 6 15:08:14 UTC 2011 

On Tue, Apr 5, 2011 at 5:30 PM, Frank J. Cameron <cameron at ctc.com> wrote:
>> So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to
>> be used by the ''openssl s_client" command by default (without -CAfile
>> command line argument).
>
> http://curl.haxx.se/mail/archive-2003-07/0036.html
>        Unfortunately, the information about this is not in the current
>        OpenSSL documentation. You have to read the source code or
>        see discussion about it in the openssl-dev mailing list.
>        There is a reference to the X509_get_default_cert_file and
>        X509_get_default_cert_file_env in the obsolete ssleay.txt file
>        in
>        the OpenSSL document directory, but that is about it. The only
>        references that I know to the SSL_CERT_FILE and SSL_CERT_DIR
>        environment variables (other than in the source code itself)
>        are
>        in the old "SSLeay and SSLapps FAQ" which is not distributed
>        with
>        OpenSSL (available at http://www2.psy.uq.edu.au/~ftp/Crypto/").
>        See some correspondence about these defaults in the openssl-dev
>        mailing list in a thread started by me in December 2002
>        (with a fix for the code by Richard Levitte and Rich Salz):
>        "http://marc.theaimsgroup.com/?l=openssl-dev&m=103899056011520"
>
>        The default name for the ca cert bundle is defined in
>        crypto/cryptlib.h, as are the environment variables
>        SSL_CERT_FILE and SSL_CERT_DIR.
>
> http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/crypto/cryptlib.h
>        #define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
>
> http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile
>        OPENSSLDIR=/usr/local/ssl
>
FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL
as part of a buildworld, instead we use our own custom Makefiles in
secure/lib/libcrypto.  The only place where OPENSSLDIR is defined is
in secure/lib/libcrypto/opensslconf-${MACHINE_CPUARCH}.h

http://svn.freebsd.org/viewvc/base/head/secure/lib/libcrypto/opensslconf-amd64.h?revision=194207&view=markup

#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#define ENGINESDIR "/usr/lib/engines"
#define OPENSSLDIR "/etc/ssl"
#endif
#endif

> So, should the port be linking?:
>        /usr/local/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
>
The port is creating the correct link for the base install of openssl.

Scotr

More information about the freebsd-security mailing list