Hello,
I have a FreeBSD 10.1 installation with security/ca_root_nss installed (with
ETCSYMLINK).
/etc/make.conf contains WITH_OPENSSL_BASE="YES", the port
(security/openssl)
is not installed.
/etc/ssl/cert.pem points to /usr/local/share/certs/ca-root-nss.crt, which
contains the CA certificates as expected.
When I do openssl s_client -showcerts -host my.server -port 443, I get
"Verify return code: 20 (unable to get local issuer certificate)",
i.e. the
certificate can't be verified.
The same command with -CAfile openssl s_client -CAfile /etc/ssl/cert.pem
-showcerts -host my.server -port 443 works ("Verify return code: 0
(ok)").
Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I
get OpenSSL to use it by default?
The problem is that net-im/ejabberd uses the default OpenSSL verification
(when certificate verification is activated), and as far as I know, there's
no possibility to specify an extra CAfile. This means that I can't use
certificate validation with XMPP, which is not good...
Do you have an idea?
On 12/18/15 11:41, rhi wrote:> Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I > get OpenSSL to use it by default?Is that the ports or the base version of openssl? I can recreate your results with the base openssl, but everything works as expected with the ports version: :# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com -port 443 WARNING: can't open config file: /usr/local/openssl/openssl.cnf CONNECTED(00000004) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 [...] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5119 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002 Session-ID-ctx: Master-Key: 4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B4450FDA6EDD02063A8914A056 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb ..%$.,.p7lq..Fu. 0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7 _P.,X.r....`.T.. 0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89 \,.>...w.....|9. 0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb ....._.....w'... 0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc .4..Z6x. ..h.... 0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d ^..y^..f.5...q.. 0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4 .*Ja.Z[.f ....U. 0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef )L..5..S........ 0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19 .v....b#.J.m../. 0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98 ...!.<.NOp..V .. 00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24 e..l...8...%X".$ Start Time: 1450441132 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route to crypto happiness in the ports. Cheers, Matthew -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151218/307017fd/attachment.sig>
Dag-Erling Smørgrav
2015-Dec-18 16:29 UTC
[OpenSSL] /etc/ssl/cert.pem not honoured by default
rhi <r at hirner.at> writes:> When I do openssl s_client -showcerts -host my.server -port 443, I get > "Verify return code: 20 (unable to get local issuer certificate)", i.e. the > certificate can't be verified.It works on 10.2. I'm not sure at what point it changed. DES -- Dag-Erling Sm?rgrav - des at des.no