On Wed, 2011-04-06 at 01:45 -0400, jhell wrote:
If you truss the command above before and after creating so said links
in /usr/local/etc/ssl and in /etc/ssl youll see that there is no
default
CAfile or CApath searched for.
Interesting, thanks. I don't have a FreeBSD box around at present so
On Wed, 2011-04-06 at 10:43 -0400, Scot Hetzel wrote:
http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssl/Makefile
OPENSSLDIR=/usr/local/ssl
FreeBSD doesn't use the crypto/openssl/Makefile when building OpenSSL
as part of a buildworld, instead we use our own custom Makefiles
On Apr 4, 2011, at 7:39 PM, Garrett Wollman woll...@bimajority.org wrote:
On Tue, 5 Apr 2011 09:05:47 +1000, richo ri...@psych0tik.net said:
On 05/04/11 06:57 +1000, Peter Jeremy wrote:
It has occurred to me that maybe the FreeBSD SO should create a root
cert and distribute that with
On Tue, 2011-04-05 at 17:11 -0400, Dmytro Pryanyshnikov wrote:
Actually, as I can see, just installing the ca_root_nss
port (even with ETCSYMLINK=on Add symlink to /etc/ssl/cert.pem)
isn't enough for feeding installed .crt file to 'openssl s_client'
command:
dmitry@lynx$ openssl s_client
On 04/06/11 00:30, Frank J. Cameron:
The default name for the ca cert bundle is defined in
crypto/cryptlib.h, as are the environment variables
SSL_CERT_FILE and SSL_CERT_DIR.
May be. But as far as I know those variables doesn't affect the s_client
application.
So,
On 6.4.2011 2:15, Chuck Swiger:
2. Such link will affect all users of system. Decision what CA is trustful
should remain personal decision, not the system administrator decision, by default
There are differences between your personal machine, for which you as an
individual are welcome to make
On Wed, Apr 06, 2011 at 03:01:30AM +0200, Dan Lukes wrote:
On 6.4.2011 2:15, Chuck Swiger:
2. Such link will affect all users of system. Decision what CA is
trustful should remain personal decision, not the system administrator
decision, by default
There are differences between your
On 2011-Apr-02 08:37:36 +0100, Miguel Lopes Santos Ramos
m...@miguel.ramos.name wrote:
The only root CAs that could be included by default would be those of
governments (but which governments do you trust?) and things like
CAcert.org.
Actually, there was a certificate port that included
On 02/04/2011 00:30, Chad Perrin wrote:
I don't think that either of the two options currently under discussion
(quietly provide a trusted CA list or quietly failing to provide one)
is optimal. In the best-case scenario, I guess there would be some
self-evident system for letting the user
Hi folks,
Could somebody explain to me how is it possible to ship an operating system
without testing basic functionality like SSL working? Unfortunately the
problem is still there after installing the following port:
/usr/ports/security/ca_root_nss
Sounds like your openssl is broken it works just fine for me gets gmail
certificate
On Apr 1, 2011 11:01 AM, István lecc...@gmail.com wrote:
Hi folks,
Could somebody explain to me how is it possible to ship an operating
system
without testing basic functionality like SSL working? Unfortunately
On Fri, Apr 01, 2011 at 03:33:15PM +0100, István wrote:
FreeBSD ships OpenSSL but it is broken because there is no CA. Right,
it is like shipping a car without wheels, I suppose.
Err . . . now. SSL isn't broken, any more than vi is broken just because
it doesn't ship with text files for you
On Fri, Apr 1, 2011 at 10:33 AM, István lecc...@gmail.com wrote:
Could somebody explain to me how is it possible to ship an operating system
without testing basic functionality like SSL working? Unfortunately the
problem is still there after installing the following port:
On Fri, 1 Apr 2011 11:14:06 -0400
matt donovan kitchet...@gmail.com top posted:
Sounds like your openssl is broken it works just fine for me gets
gmail certificate
It doesn't for me. Claws-mail depends on security/ca_root_nss, but only
the other day I had to manually accept a certificate for
Only you personally can decide what CA is trustful CA for you.
cool, i decided I need everything what I have on windows or on J random
operating system with firefox. I install the corresponding package which is
broken and therefore, so I can't verify if somebody i doing a MITM while I
am
Yep, SSL is broken.
This why the top500 companies are using it to secure their business. I hope
you have something better what we could implement tomorrow deprecating SSL.
Send the RFC please. :)
Thank you in advance.
I.
On Fri, Apr 1, 2011 at 4:33 PM, Chad Perrin per...@apotheon.com wrote:
On Fri, Apr 01, 2011 at 07:45:11PM +0100, István wrote:
cool, i decided I need everything what I have on windows or on J random
operating system with firefox. I install the corresponding package
which is broken and therefore, so I can't verify if somebody i doing a
MITM while I am shopping on
On Fri, Apr 01, 2011 at 07:47:23PM +0100, István wrote:
Yep, SSL is broken.
This why the top500 companies are using it to secure their business. I
hope you have something better what we could implement tomorrow
deprecating SSL.
Send the RFC please. :)
Thank you in advance.
You clearly
István wrote:
cool, i decided I need everything what I have on windows or on J random
operating system with firefox. I install the corresponding package which is
broken and therefore, so I can't verify if somebody i doing a MITM while I
am shopping on Amazon. Massive win!
If your concern is
Nothing could be further from the truth. I think Chad addressed that topic
well. I would simply like to add that it's pretty common for us to see
people report things along the lines of, When I try to do XYZ thing that I
did on Linux it doesn't work on FreeBSD. What is generally the case in
On 4/1/2011 1:52 PM, István wrote:
well i would argue with that, on Linux it was possible to validate the certs
what X company is using, on FreeBSD it was not.
Perhaps if you can describe the process that you go through on Linux to
do this, we can help you accomplish the same goal using
Executing the same command:
openssl s_client -connect 72.21.203.148:443 /dev/null | sed -ne /-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p |openssl x509 -noout -subject -dates
The end goal is to get this working. I am going to fix it whenever I have
few hours time to waste :)
On Fri, Apr 1, 2011
You're probably not aware (owing to your arrogance) that at least some of
the CAs which ship as part of the Mozilla bundle have been known to issue
fraudulent certificates in the past, even the past few weeks.
once there was a remote root in freebsd kernel, so I have just stopped using
it
this is a nice project. in couple of years it might be used widely. until
then we have to use SSL :(
It's called CurveCP: http://curvecp.org/
--
Jay Sullivan
___
freebsd-security@freebsd.org mailing list
On Fri, Apr 01, 2011 at 10:01:08PM +0100, Istv??n wrote:
Executing the same command:
openssl s_client -connect 72.21.203.148:443 /dev/null | sed -ne /-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p |openssl x509 -noout -subject -dates
Define 'work'.
% uname -v
FreeBSD 4.9-RELEASE #0: Sun
On Fri, Apr 1, 2011 at 2:47 PM, István lecc...@gmail.com wrote:
Yep, SSL is broken.
This why the top500 companies are using it to secure their business. I hope
you have something better what we could implement tomorrow deprecating SSL.
Send the RFC please. :)
Thank you in advance.
It's
.
That you got this same command to work implies you have a different
set of CAs than I.
His point (someone please correct me, if neccessary) is that without
what he considers a reasonable set of trusted CAs in place, SSL under
FreeBSD is 'broken'.
I interpret this thread now to be a debate of terms
István wrote:
work:
without the following error = verify error:num=20:unable to get local
issuer certificate
Hi.
It works for me if you correct the sed command and suppress sdterr..
$ uname -rms
FreeBSD 6.4-RELEASE-p8 i386
$ openssl s_client -connect 72.21.203.148:443 2/dev/null /dev/null
FreeBSD is 'broken'.
I interpret this thread now to be a debate of terms 'reasonable'
and 'trusted', and further, who's responsibility is it to populate
that list of CAs on his machine.
In case anyone cares what I think . . .
I don't think that either of the two options currently under
István wrote:
well i would argue with that, on Linux it was possible to validate the certs
what X company is using, on FreeBSD it was not.
Just for completeness:
=
uname -a
Linux u-pl1 2.6.32-vs2.3.0.36.28-gentoo-amd64 #1 SMP PREEMPT Tue Feb 22
12:08:19 CET 2011
30 matches
Mail list logo