Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
Dan Strick mla_str...@att.net writes: I just installed FreeBSD release 8.1 and rebuilt the fetchmail port. Now I get messages like these when I run fetchmail: --- snip --- I can get rid of the message by removing the ssl option from the user line but then fetchmail would not even try to use ssl. Why would the old fetchmail be better able to verify the server's ssl certificate? Has openssl changed? Where is the openssl certificate directory and why should the information needed to verify the server's certificate be found on my machine? Doesn't the openssl library contain something like a hardwired list of well known certificate authority systems? You already got replies about using the sslcertfile option pointing to /usr/local/share/certs/ca-root-nss.crt. The problem is that only fixes fetchmail and must be duplicated for each application. I finally got around to looking into how to integrate those certificates into the openssl configuration for FreeBSD, and the following is what I came up with. The openssl configuration in /etc/ssl/openssl.cnf expects all certificates and hashes to be in /etc/ssl/certs, so the certificate file must be split into individual certificates there, and hashes generated. The following steps will handle that. Some of these steps must be performed as root, so all of them might as well be. cd /etc/ssl/certs # create if necessary split -p '^Certificate:' /usr/local/share/certs/ca-root-nss.crt cert rm certaa # just the file header for file in cert* ; do mv $file $file.pem ; done # rename to certxx.pem perl /usr/src/crypto/openssl/tools/c_rehash . # generate the hashes The above steps are for a FreeBSD 8.1-RELEASE, so they might not work exactly for other versions. This also assumes that you trust the certificates in the ca_root_nss package, so you will have to decide that for yourself. I have seen several questions and problems about ssl certificates, so hopefully others will find this useful. -- Carl Johnsonca...@peak.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
On Sun, 15 Aug 2010, RW wrote: On Sun, 15 Aug 2010 Dan Strick mla_str...@att.net wrote: That explains the problem. I copied the file /usr/local/share/certs/ca-root-nss.crt from my old FreeBSD release-8.0 system and hooked it up to fetchmail with the fetchmail sslcertfile option. At least fetchmail is now happy. You'd be better off installing security/ca_root_nss otherwise you'll be stuck with a stale file. I don't know why you don't have it, it's a dependency of fetchmail and many other ports. This thread caused me to look at my maillog, and I see the same issue. The fetchmail port has correctly installed security/ca_root_nss, and pkg_which reports the file in /usr/local/share/certs as having the origin ca_root_nss-3.12.4, however fetchmail isn't looking at it. Looking at the fetchmail code, there is no value set for ctl-sslcertfile. I'm not sure what fetchmail's behaviour was prior to 8.1, so I do not know whether this has changed. I don't have a pre-8.1 install handy -- if the OP does, I'd be interested in knowing whether the string SSL trusted certificate file: appears in the output of env LC_ALL=C fetchmail -V -v --nodetach --nosyslog and if so, what filename appears after the colon. A. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
On Mon, 16 Aug 2010 01:57, RW wrote: You'd be better off installing security/ca_root_nss otherwise you'll be stuck with a stale file. I don't know why you don't have it, it's a dependency of fetchmail and many other ports. I had it but I didn't know it. I did discover the file it installed, /usr/local/share/certs/ca-root-nss.crt, and started to use it for fetchmail in place of the file from my old FreeBSD system. After I read the above note from RW I figured out it referred to a port, that I had the port, that it was a dependency of fetchmail and had been installed and was probably the source of the file /usr/local/share/certs/ca-root-nss.crt. Erik Norgaard also mentioned the port but I didn't understand at the time that he was referring to a port. He also mentioned the file /usr/src/crypto/openssl/FAQ which very briefly discusses the issue and mentions http://www.mail-archive.com/modssl-us...@modssl.org/msg16980.html which describes a mechanism for constructing a root certificate bundle from some obscure data file apparently produced by the Mozilla project, but of course I lacked the background to understand these things at the time. I still don't understand them very well. The relevant user options in my .fetchmailrc file are now: ssl sslproto SSL3 sslcertck sslcertfile /usr/local/share/certs/ca-root-nss.crt sslfingerprint ... Perhaps since fetchmail installs ca_root_nss as a dependency it should also default to using the installed ca root bundle file. Perhaps the fetchmail port should have produced an installation message that mentioned these things. Perhaps the port should patch the fetchmail man page to suggest using this file with the sslcertfile option. I have looked very very hard for documentation on this stuff in an obvious place but have not found any. Where should I have looked? Thanks, Dan Strick mla_strick at att.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
fetchmail ssl certificate verification problem in FreeBSD 8.1
I just installed FreeBSD release 8.1 and rebuilt the fetchmail port. Now I get messages like these when I run fetchmail: fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!) fetchmail: No mail for whoe...@att.net at att fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: This means that the root signing certificate (issued for /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo /CN=pop.att.yahoo.com) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate I just rebooted my old FreeBSD 8.0 system and verified that the old fetchmail does not complain about this. My .fetchmailrc file has not changed. It looks something like this: poll att via pop.att.yahoo.com proto pop3 user whoe...@att.net pass whatever is mla ssl I can get rid of the message by removing the ssl option from the user line but then fetchmail would not even try to use ssl. Why would the old fetchmail be better able to verify the server's ssl certificate? Has openssl changed? Where is the openssl certificate directory and why should the information needed to verify the server's certificate be found on my machine? Doesn't the openssl library contain something like a hardwired list of well known certificate authority systems? Thanks for any information you can provide. Dan Strick mla_strick at att.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
On 15/08/10 21.38, Dan Strick wrote: I can get rid of the message by removing the ssl option from the user line but then fetchmail would not even try to use ssl. Why would the old fetchmail be better able to verify the server's ssl certificate? Has openssl changed? Where is the openssl certificate directory and why should the information needed to verify the server's certificate be found on my machine? Doesn't the openssl library contain something like a hardwired list of well known certificate authority systems? A little bit of searching around I found this (I don't know since when): # less /usr/src/crypto/openssl/certs/README.RootCerts The OpenSSL project does not (any longer) include root CA certificates. Please check out the FAQ: * How can I set up a bundle of commercial root CA certificates? The FAQ is here: /usr/src/crypto/openssl/FAQ Also, you might find this interesting: http://fetchmail.berlios.de/fetchmail-man.html#19 Check your fetchmail settings for sslcertck, maybe it's a compile time option to enable this by default. Fetchmail depends on ca_root_nss, check that one too. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
On Sun, 15 Aug 2010 22:36, Erik Norgaard wrote: A little bit of searching around I found this (I don't know since when): # less /usr/src/crypto/openssl/certs/README.RootCerts The OpenSSL project does not (any longer) include root CA certificates. Please check out the FAQ: * How can I set up a bundle of commercial root CA certificates? The FAQ is here: /usr/src/crypto/openssl/FAQ That explains the problem. I copied the file /usr/local/share/certs/ca-root-nss.crt from my old FreeBSD release-8.0 system and hooked it up to fetchmail with the fetchmail sslcertfile option. At least fetchmail is now happy. Thanks for the help, Dan Strick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fetchmail ssl certificate verification problem in FreeBSD 8.1
On Sun, 15 Aug 2010 15:35:02 -0700 (PDT) Dan Strick mla_str...@att.net wrote: That explains the problem. I copied the file /usr/local/share/certs/ca-root-nss.crt from my old FreeBSD release-8.0 system and hooked it up to fetchmail with the fetchmail sslcertfile option. At least fetchmail is now happy. You'd be better off installing security/ca_root_nss otherwise you'll be stuck with a stale file. I don't know why you don't have it, it's a dependency of fetchmail and many other ports. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
