freebsd security - Dec 2015 - [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 12/18/15 11:41, rhi wrote:
> Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I
> get OpenSSL to use it by default?
Is that the ports or the base version of openssl?  I can recreate your
results with the base openssl, but everything works as expected with the
ports version:

:# /usr/local/bin/openssl s_client -showcerts -host whatever.example.com
-port 443
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000004)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
[...]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5119 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
2DCC13EBCF9AC1809985CE3CC0C6B4BFA57A49B68E9CF6BBD3A6C6286CCD7002
    Session-ID-ctx:
    Master-Key:
4B78DD6268C3D2674AA10B16617D9ED92C061FD44A3B483F03CD39F043C3EA23F9F6A6B4450FDA6EDD02063A8914A056
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 00 1f 25 24 ba 2c 17 70-37 6c 71 e2 a1 46 75 fb
..%$.,.p7lq..Fu.
    0010 - 5f 50 8e 2c 58 c3 72 c8-c4 03 8c 60 0b 54 f3 d7
_P.,X.r....`.T..
    0020 - 5c 2c af 3e cc b4 1b 77-c3 a0 2e dd e9 7c 39 89
\,.>...w.....|9.
    0030 - dc 9f 10 0b f6 5f 8c 9a-df 18 8f 77 27 be f4 fb
....._.....w'...
    0040 - e7 34 fe b4 5a 36 78 8d-20 fd b2 68 1b f2 16 dc   .4..Z6x.
..h....
    0050 - 5e ea d0 79 5e e1 88 66-05 35 1f b9 b8 71 91 9d
^..y^..f.5...q..
    0060 - 09 2a 4a 61 da 5a 5b ad-66 20 19 eb df e5 55 f4   .*Ja.Z[.f
....U.
    0070 - 29 4c a2 e3 35 ed f9 53-c2 18 dd d6 8b f9 1e ef
)L..5..S........
    0080 - 81 76 c5 db a5 15 62 23-cd 4a 80 6d f1 7f 2f 19
.v....b#.J.m../.
    0090 - d9 c4 00 21 fe 3c 00 4e-4f 70 1d cd 56 20 8f 98
...!.<.NOp..V ..
    00a0 - 65 88 a4 6c fe 96 9a 38-f4 f4 fd 25 58 22 98 24
e..l...8...%X".$

    Start Time: 1450441132
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C

Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route to
crypto happiness in the ports.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151218/307017fd/attachment.sig>

On 18.12.2015 13:25, Matthew Seaman wrote:
> Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route
to crypto happiness in the ports.
Definitely. But beware of applications using system Kerberos libraries 
(it use system's OpenSSL).

If an application import library A that depend on system's OpenSSL and 
library B that depend on port's OpenSSL the troubles are imminent.

Dan

Matthew Seaman <matthew <at> freebsd.org> writes:
> Is that the ports or the base version of openssl?  I can recreate your
> results with the base openssl, but everything works as expected with the
> ports version:
Yes, it's the base OpenSSL. Is this a known limitation or a bug in the base
OpenSSL or do I use it wrongly?

Until now, I have avoided installing the OpenSSL port because the base
OpenSSL gets security updates via freebsd-update and so it's one thing less
to care about... also, I don't like the idea of having two different
versions of the same thing on the system (because some applications might
use the one versions, others the second one, and then it's quite difficult
to find the bugs).

Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL
is only used for the system itself?

And thanks for your help! I wouldn't have had the idea that base OpenSSL vs.
port OpenSSL could be the cause of the problem.