Greetings,
apparently the new /etc/ssl/cert.pem file installed by
security/ca_root_nss trips up the OpenSSL 0.9.8e in the 7.3-RELEASE base
system. I haven't tested 7.4, 8.1 or 8.2, 8-STABLE is unaffected by the
problem.
The symptom is that some certificate chains that validate properly on
OpenSSL under FreeBSD 8-STABLE, fail to validate on 7.3. OpenSSL claims
that the root certificate weren't trusted.
Manually editing the cert.pem file to reorder Entrust certificates up
front in reverse order helps according to Doug's findings, but chances
are that this breaks recognition of other root certificates in exchange.
This is also extremely hard to test because we can't possibly find
enough sites to cover for all 150+ trust anchors that the ca_root_nss
ports provides.
Doug and I have been trying to debug this earlier today, to no avail
yet. The current suspicion is "bug in OpenSSL when reading certificate
bundles, and that bug got fixed between 0.9.8e and 0.9.8q (possibly
0.9.8n)" -- note though that the order of certificates in a bundle file
is not supposed to make any difference.
If someone has any insights, that will be much appreciated.
(Doug feel free to polish this text and re-post if it turned out to be
incomprehensible.
)
Best regards,
Matthias
_______________________________________________
freebsd-ports.DeleteThis@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"
FAQ
Search
Profile
Private Messages
Log in
