István wrote: > FreeBSD ships OpenSSL but it is broken because there is no CA
No. List of trusted CA is list of CAs that you trust to. It is related to policies of particular CA, the law in the country where the CA operates, the overall reputation of such CA - and your personal preferences and paranoia level. Only you personally can decide what CA is "trustful CA" for you. Of course, you can accept a list created by someone else if you wish - you mentioned the security/ca_root_nss But it's still your personal decision. Yes, someone's else list may not contain some CAs that you classified as trusted - and, worse, it may contain some CAs you doesn't consider trustable. It's your risk when adopting list form an external source and you should not adopt such kind of list blindly unless the security is "unimportant" for you. But back to your problem - the FreeBSD contain NO list of trusted CA and it SHOULD NOT contain one. The port security/ca_root_nss is NOT part of operating system - if you want to change it you need to ask it's author. Or use list prepared by someone else. Or prepare own list (it's most secure way). Dan _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
