Good Afternoon,
I've spent the past three hours playing with openssl.cnf and surfing google, and so far I've been unable to find an answer to this question.
So I thought I'd ask here :). The background is that I've finally got around to getting a wildcard SSL certificate for my personal server, all daemons are using this, Firefox/IE/Thunderbird are all happy with the certificate and see it signed by ChainedSSL signed by Equifax and all is good.
However when I use the FreeBSD server to connect to it's self, in several programs I get asked to confirm the certificate. So I assumed this was because there was no central root certificate store.
So I installed security/ca-roots from ports, and that put the certs.pem file in /usr/local/share/certs and a symlink to it in /etc. However as I found this simply installs it.
Using openssl s_cleint I was able to run some tests, if I didn't provide a cafile then I got the following.
[nebula:~]# openssl s_client -connect localhost:imaps
CONNECTED(00000003)
depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See www.freessl.com/cps (c)04/OU=Domain Control Validated - ChainedSSL(TM)/CN=*.alastria.net
i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
---
If I provided a cafile, all was good and got this:
[nebula:~]# openssl s_client -connect localhost:imaps -CAfile /etc/ssl/cert.pem
CONNECTED(00000003)
depth=2 /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
verify return:1
depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
verify return:1
depth=0 /C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See www.freessl.com/cps (c)04/OU=Domain Control Validated - ChainedSSL(TM)/CN=*.alastria.net
verify return:1
---
Certificate chain
0 s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See www.freessl.com/cps (c)04/OU=Domain Control Validated - ChainedSSL(TM)/CN=*.alastria.net
i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
---
I have tried various settings in openssl.cnf, but I can not get CAfile to be defaulted to anything. My basic question is can I do this, and if so, how?
I'm expecting once this works (maybe stupidly) for it to propagate down to applications that use the openssl library. Although for some programs (like Mutt) I'll be required to set a property to allow mutt to trust the system certs (ssl_usesystemcerts).
I hope someone out there knows, I've been playing and running truss and all sorts for the past three hours trying to get this to work.
Any advice would be greatly appreciated.
Cheers,
Pete. -- Peter Wood BSc (Hons) :: <[EMAIL PROTECTED]> :: Tel +44 7974 799440 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
