-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 01.05.2010 05:16, schrieb John Marshall: > I just spent quite a while trying to figure out what broke SSL > certificate verification in my irc client after taking some brave pills > and updating ports on my notebook. > > It turns out that OpenSSL 1.0.0 hashes certificates differently to > earlier versions. That meant that applications looking in my > /usr/local/openssl/certs directory couldn't find hashes for CA > certificates because the hash links had been created with OpenSSL 0.9.8. > > From the CHANGES file in the root of the OpenSSL 1.0.0 distribution: > > "Enhance the hash format used for certificate directory links. The new > form uses the canonical encoding (meaning equivalent names will work > even if they aren't identical) and uses SHA1 instead of MD5. This form > is incompatible with the older format and as a result c_rehash should > be used to rebuild symbolic links. > [Steve Henson]" > > So, that's good to know but here's the really fun bit. Just running > c_rehash won't fix it if you have openssl in the base system - because > it picks up /usr/bin/openssl (old version, old hashes). The > /usr/local/bin/c_rehash script relies on an environment variable to > point it at anything other than the base openssl. So, if I set > OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash, > I get the "new" hashes and stuff works again. >
(cc'ing Dirk who maintains the OpenSSL port - consider taking the patch linked below) I reported this - along with proposed fixes - to OpenSSL a couple of days ago, however there does not seem to be a 1.0.0a yet. (username and password "guest") Report: <http://rt.openssl.org/Ticket/Display.html?id=2234> Deep link to patch: <http://rt.openssl.org/Ticket/Attachment/26716/13060/openssl-1.0.0-fix-c_rehash.patch> HTH Matthias -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvfEAkACgkQvmGDOQUufZWnwQCgllN15Dzm2E5gQcTJOx4xlBvw 2+oAniPTLC32IBTBAAaC9+noMZHybGPQ =U4UG -----END PGP SIGNATURE----- _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"