Hi folks, Could somebody explain to me how is it possible to ship an operating system without testing basic functionality like SSL working? Unfortunately the problem is still there after installing the following port: /usr/ports/security/ca_root_nss http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22 <http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22>About 1,490 results (0.14 seconds) openssl s_client -connect 72.21.203.148:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 DONE subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com notBefore=Oct 8 00:00:00 2010 GMT notAfter=Oct 7 23:59:59 2013 GMT FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is like shipping a car without wheels, I suppose. Is there a reason to do this? How much effort would be to ship a complete SSL stack, including the root CAs, just like any other vendor/community does? Thanks. I. -- the sun shines for all
Istv?n wrote:> FreeBSD ships OpenSSL but it is broken because there is no CANo. List of trusted CA is list of CAs that you trust to. It is related to policies of particular CA, the law in the country where the CA operates, the overall reputation of such CA - and your personal preferences and paranoia level. Only you personally can decide what CA is "trustful CA" for you. Of course, you can accept a list created by someone else if you wish - you mentioned the security/ca_root_nss But it's still your personal decision. Yes, someone's else list may not contain some CAs that you classified as trusted - and, worse, it may contain some CAs you doesn't consider trustable. It's your risk when adopting list form an external source and you should not adopt such kind of list blindly unless the security is "unimportant" for you. But back to your problem - the FreeBSD contain NO list of trusted CA and it SHOULD NOT contain one. The port security/ca_root_nss is NOT part of operating system - if you want to change it you need to ask it's author. Or use list prepared by someone else. Or prepare own list (it's most secure way). Dan
Sounds like your openssl is broken it works just fine for me gets gmail certificate On Apr 1, 2011 11:01 AM, "Istv?n" <leccine@gmail.com> wrote:> Hi folks, > > Could somebody explain to me how is it possible to ship an operatingsystem> without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > >http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22> > <http://www.google.com/search?q=%2Bfreebsd+%2B%22verify+error%3Anum%3D20%3Aunable+to+get+local+issuer+certificate%22>About > 1,490 results (0.14 seconds) > openssl s_client -connect 72.21.203.148:443 </dev/null | sed -ne '/-BEGIN > CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -subject -dates > > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of useat> https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA -G2> verify error:num=20:unable to get local issuer certificate > verify return:0 > DONE > subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CNs3.amazonaws.com > notBefore=Oct 8 00:00:00 2010 GMT > notAfter=Oct 7 23:59:59 2013 GMT > > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, itis> like shipping a car without wheels, I suppose. > > Is there a reason to do this? > > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does? > > Thanks. > > I. > > -- > the sun shines for all > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
On Fri, Apr 01, 2011 at 03:33:15PM +0100, Istv?n wrote:> > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, > it is like shipping a car without wheels, I suppose.Err . . . now. SSL isn't broken, any more than vi is broken just because it doesn't ship with text files for you to edit. It would be more like shipping a car without giving you a list of roads on which the manufacturer suggests you use it.> > Is there a reason to do this?I don't know. Maybe the guys who made that decision thought that users should be able to make their own decisions about who to trust, rather than relying on Verisign to make that decision for them. I'm just speculating wildly -- I actually have no idea. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110401/1001a768/attachment.pgp
On Fri, Apr 1, 2011 at 10:33 AM, Istv?n <leccine@gmail.com> wrote:> Could somebody explain to me how is it possible to ship an operating system > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nssOpenSSL works just fine for me. I am using it on an internal network with a CA that I created myself. That is the only CA that I want to trust, since all the servers that I'm using are signed by it and only it. I've manually added it to the CA lists here. That way, I can add a new server create a cert for it, sign it, and profit immediately. There are no CAs by default in FreeBSD because that's the way it should be. I would have had to remove all of them. As the FAQ for OpenSSL states: "The OpenSSL software is shipped without any root CA certificate as the OpenSSL project does not have any policy on including or excluding any specific CA and does not intend to set up such a policy. Deciding about which CAs to support is up to application developers or administrators." (http://www.openssl.org/support/faq.html#USER16) Now, you are also not satisfied with the CA bundle in the ports collection because it does not contain the CA that you need. I'm not sure which one it is that you need. But a good place to start is here: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html That contains a perl script for extracting the CA bundle from Mozilla's CVS. At first glance, it may frustrate you, because it may not be obvoius where it connects to (that info is obscured). However, look at the following help file. It has all the connection details for mozilla's cvsroot that you will need. Just substitute the "anonymous@cvs-mirror.mozilla.org" for "[EMAIL PROTECTED]" in the script. https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS If you are not satisfied with Mozilla's bundle, you can find google Chrome's list here somewhere: http://src.chromium.org/viewvc/chrome/ All of this may or may not solve your problem. You may need to build your own bundle and include the CAs that you want to trust. Also, one last thing: You can catch more flies with honey than with vinegar.
> You're probably not aware (owing to your arrogance) that at least some of > the CAs which ship as part of the Mozilla bundle have been known to issue > fraudulent certificates in the past, even the past few weeks. >once there was a remote root in freebsd kernel, so I have just stopped using it (sometimes I wish I did....)
Sex, 2011-04-01 ?s 15:33 +0100, Istv?n escreveu:> FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it is > like shipping a car without wheels, I suppose. > > Is there a reason to do this? > > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does?Yeah, maybe FreeBSD should ship with the same list of root CAs that Internet Explorer does, so we can say FreeBSD is a compatible operating system. This is business, multi-million dollar business. Microsoft decides who to trust on behalf of the consumer, and companies and governments all over the world pay millions of dollars so their sites are "trusted". The price of certificates from VeriSign is justified because everybody trusts them, even though nobody ever thought about it. That's dirty business. And you think FreeBSD should "sugest" trust on these companies and get nothing in return? Or would they contribute a couple of millions to the FreeBSD Foundation? The only root CAs that could be included by default would be those of governments (but which governments do you trust?) and things like CAcert.org. -- Miguel Ramos <mbox@miguel.ramos.name> PGP A006A14C
On Fri, Apr 01, 2011 at 03:32:51PM +0100, Istv?n wrote:> FreeBSD ships OpenSSL but it is broken because there is no CA. Right, > it is like shipping a car without wheels, I suppose.While I agree somewhat with your sentiment, SSL is not necessarily broken without CA certificates, as it's completely possible to do TOFU verification ala SSH. However, I think it's an appropriate time to mention again that there is at least one place in base that does indeed have broken SSL support, namely libfetch. To do SSL properly, you can do CA certificate verification or you can do TOFU, but libfetch still accepts any certificate it encounters, without user warning.
Hello! On Fri, Apr 1, 2011 at 5:33 PM, Istv?n <leccine@gmail.com> wrote:> Could somebody explain to me how is it possible to ship an operating system > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > > openssl s_client -connect 72.21.203.148:443 </dev/null | ...Hmm, IMHO quite simple question (it's all about OpenSSL application config) has caused such a big and not-so-relevant discussion (about OS as a whole) ;) Actually, as I can see, just installing the ca_root_nss port (even with ETCSYMLINK=on "Add symlink to /etc/ssl/cert.pem") isn't enough for feeding installed .crt file to 'openssl s_client' command: dmitry@lynx$ openssl s_client -connect 72.21.203.148:443 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 20 (unable to get local issuer certificate) dmitry@lynx$ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 0 (ok) So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to be used by the ''openssl s_client" command by default (without -CAfile command line argument). Alas, both openssl(1) and s_client(1) lack FILES section so it's unclear whether default value for -CAfile can be specified in some configuration file. Moreover, openssl(1) refers to config(5), but 'man 5 config' tells about the FreeBSD kernel config, not OpenSSL's one. But yes, installing security/ca_root_nss port _and_ specifying '-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your problem. -- Sincerely, Dmytro