Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

rhi wrote: Until now, I have avoided installing the OpenSSL port because the base OpenSSL gets security updates via freebsd-update and so it's one thing less to care about... also, I don't like the idea of having two different versions of the same thing on the system A fair number of sites have

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 18.12.2015 16:47, rhi wrote: Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL is only used for the system itself? On 9.x-R (still considered supported version) the base's OpenSSL is so old for today's SSL server. The best TLS version supported is 1.0 which is co

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 2015/12/18 15:47, rhi wrote: > Matthew Seaman freebsd.org> writes: > >> Is that the ports or the base version of openssl? I can recreate your >> results with the base openssl, but everything works as expected with the >> ports version: > > Yes, it's the base OpenSSL. Is this a known limitati

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

rhi writes: > When I do openssl s_client -showcerts -host my.server -port 443, I get > "Verify return code: 20 (unable to get local issuer certificate)", i.e. the > certificate can't be verified. It works on 10.2. I'm not sure at what point it changed. DES -- Dag-Erling Smørgrav - d...@des.no

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

Matthew Seaman freebsd.org> writes: > Is that the ports or the base version of openssl? I can recreate your > results with the base openssl, but everything works as expected with the > ports version: Yes, it's the base OpenSSL. Is this a known limitation or a bug in the base OpenSSL or do I use

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 18.12.2015 13:25, Matthew Seaman wrote: Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route to crypto happiness in the ports. Definitely. But beware of applications using system Kerberos libraries (it use system's OpenSSL). If an application import library A that depend on

Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

On 12/18/15 11:41, rhi wrote: > Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I > get OpenSSL to use it by default? Is that the ports or the base version of openssl? I can recreate your results with the base openssl, but everything works as expected with the ports vers

[OpenSSL] /etc/ssl/cert.pem not honoured by default

Hello, I have a FreeBSD 10.1 installation with security/ca_root_nss installed (with ETCSYMLINK). /etc/make.conf contains WITH_OPENSSL_BASE="YES", the port (security/openssl) is not installed. /etc/ssl/cert.pem points to /usr/local/share/certs/ca-root-nss.crt, which contains the CA certificates a