Date: Mon, 10 Nov 2014 17:28:49 -0600 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-net@freebsd.org Subject: Re: SSL certificate check error ... Message-ID: <54614A31.8030209@shrew.net> In-Reply-To: <54611DD9.2060107@shrew.net> References: <54611DD9.2060107@shrew.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, I feel a little silly. These commands do not work without the CAfile
specified on freebsd 8.x or 9.x either. Sorry for the noise.
-Matthew
On 11/10/2014 2:19 PM, Matthew Grooms wrote:
> All,
>
> I am seeing a problem with certificate checking on several stock FreeBSD
> 10.0-RELEASE-p12 hosts using the base openssl. The ca_root_nss-3.17.2
> package is installed with the option to create the symlink in /etc/ssl
> enabled ...
>
> # ls -la /etc/ssl
> total 20
> drwxr-xr-x 2 root wheel 512 Nov 10 13:25 .
> drwxr-xr-x 21 root wheel 2048 Oct 28 23:45 ..
> lrwxr-xr-x 1 root wheel 38 Nov 10 13:24 cert.pem ->
> /usr/local/share/certs/ca-root-nss.crt
> -rw-r--r-- 1 root wheel 10929 Jan 16 2014 openssl.cnf
>
> When I try to run s_client as a test to www.google.com, I see "Verify
> return code: 20 (unable to get local issuer certificate)" ...
>
> # openssl s_client -connect www.google.com:443
> CONNECTED(00000003)
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
> i:/C=US/O=Google Inc/CN=Google Internet Authority G2
> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw
> WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
> TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
> Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR
> OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd
> 1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6
> lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu
> A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1
> Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym
> pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
> KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
> XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
> MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
> A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud
> IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
> eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
> RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew
> mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8
> ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K
> gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH
> 6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG
> TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
> issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3719 bytes and written 435 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
> Session-ID:
> 9890FB78A01C235769387820574E847C0F76E80DBDC867D6EC5D4422B944E956
> Session-ID-ctx:
> Master-Key:
> 86B4E5CBDC553D8740C462194E9244870D2468C8A736097CD467EF7461EE0ACF3D96C581EF6F68AF62218B451BBA03D7
>
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 100800 (seconds)
> TLS session ticket:
> 0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02
> ...k...\..D^....
> 0010 - 3b b3 56 cf 98 b5 72 4f-82 fe 6a 7a 44 2f b7 24
> ;.V...rO..jzD/.$
> 0020 - 7c 23 57 f9 36 94 d6 83-54 21 dc 10 a2 df ac 43
> |#W.6...T!.....C
> 0030 - 1b 8b b0 9e b3 b0 d8 e8-7a 0a d0 b2 55 8e 96 0d
> ........z...U...
> 0040 - 3c ff d2 af 65 ea c7 69-1b a4 bb 04 f2 73 c2 a8
> <...e..i.....s..
> 0050 - 6c b9 0d 54 cb 50 f2 5e-fc a8 0a 5a ec 4d 10 c6
> l..T.P.^...Z.M..
> 0060 - 34 f1 3b cb 14 96 f8 0f-1d 75 bd c6 56 61 73 64
> 4.;......u..Vasd
> 0070 - 98 55 c5 24 18 43 e7 58-cc 2f 50 35 03 14 de c5
> .U.$.C.X./P5....
> 0080 - d7 12 5b 58 6d 6e 6f 7c-61 78 40 1a 02 66 31 94
> ..[Xmno|ax@..f1.
> 0090 - 6d a0 fb 7c 36 aa 4c d2-38 9c dd 89 f9 5c 4a 62
> m..|6.L.8....\Jb
> 00a0 - f6 f7 e0 24 ...$
>
> Start Time: 1415648696
> Timeout : 300 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
> ---
>
> ... but when I explicitly specify the path to /etc/ssl/cert.pem, it
> works fine ...
>
> # openssl s_client -CApath /etc/ssl/cert.pem -connect www.google.com:443
> CONNECTED(00000003)
> depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
> verify return:1
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify return:1
> depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
> verify return:1
> depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN =
> www.google.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
> i:/C=US/O=Google Inc/CN=Google Internet Authority G2
> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEdjCCA16gAwIBAgIIG6nRQAWDXAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDIyMTI1NzUxWhcNMTUwMTIwMDAwMDAw
> WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
> TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
> Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBUjaR
> OXkELfB431tzr0Y6Y2+YzjKiqrrDeBgFZqh8OCuzqCpoCNQQPWJqN8pPv4q+pZOd
> 1smHSo0xhZP1SB9ZdW52gXy9OLc6XHA0OLuagk/QVLFo7TyeXNBEX3RO0qTqpjJ6
> lIE6mMlBvWDzsZxdyM37NN6Sk8U9QaI0tEmaTxnGrxkwhPYcZjbX6JrqhhECMebu
> A/TIU4QbD7RhIubXPn7wjQWGZccpexoynxbw7rhW52FOsWsjy0trvFtWdoXwJji1
> Ls68cbBqFQN3bAlFp14yJ/cf4pVvxIUzplKQZshAQzpnBelFI4Q9EMRai8nNWPym
> pqq9efL//ubLJUq5AgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
> KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
> XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
> MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
> A1UdDgQWBBSA1gUvlcoovYeMXdLiILdTYRyBoDAMBgNVHRMBAf8EAjAAMB8GA1Ud
> IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
> eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
> RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBjkgHIXprUI8Y1r8XepqstPieJHrew
> mfjAcg6S15hQF0pd2p7MrOf26pTbe7z84ZOVjODw6PZmRK6wap+6ow14Q0hZDes8
> ugePDxkCTDjX58Mg00uakMRRmizgr0a37O4f3D2VqOdx4doeRenMdx0RluxnDT4K
> gRAXW41WB04Hr8ijwI0q4/0Gw5PzMJgQZ987f+zrUhIW5xDzo1clMSQOYM9mD8DH
> 6uVTlWv04KUAy+GkNqweDP5QT/1gdYh9FIFeMfVuaVNJwHibIfqXJX0clGJRW6GG
> TAhXz7Hr629+6VEKKgGiVmGV1azv6Eran390kzGhRWdxvrhPVrASw9S2
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
> issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3719 bytes and written 435 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
> Session-ID:
> 9DD76F7AC8D34085E2B230CA02B955D3A35482C5AD983CD43A0AF65EDDF0905B
> Session-ID-ctx:
> Master-Key:
> FCF5D6AB32816ABD660AB744386531308C3F3203BBB61EB8273A5783DDE92B04C87ADA3DB12C87092BB7BE21CFAD3CCA
>
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 100800 (seconds)
> TLS session ticket:
> 0000 - be 92 f9 6b be 9e 07 5c-dc a4 44 5e a5 06 a8 02
> ...k...\..D^....
> 0010 - 63 64 66 84 cd c8 07 dc-69 64 6f ff 69 05 99 a0
> cdf.....ido.i...
> 0020 - f4 d7 00 1a 3c 36 41 61-70 5b b4 79 2c 45 c1 3b
> ....<6Aap[.y,E.;
> 0030 - 6d 5e 13 77 09 3f f8 35-f5 e4 92 ae ce c8 f9 7b
> m^.w.?.5.......{
> 0040 - ca 6e 49 94 cd 19 51 89-a3 f4 32 64 a6 a5 27 66
> .nI...Q...2d..'f
> 0050 - 96 d1 f0 c6 7b a6 07 20-7b 35 d9 0b f7 f1 8c a5 ....{..
> {5......
> 0060 - e7 58 1d 0c b3 86 12 d6-86 49 4c 7d 31 c5 1a b6
> .X.......IL}1...
> 0070 - 3f 7a 8a b5 e5 da 63 a3-f2 2b ee f3 ae 20 3d 1a
> ?z....c..+... =.
> 0080 - fd d7 d7 af f8 db 11 73-eb 3a 9b cb 41 a9 be 5c
> .......s.:..A..\
> 0090 - ec cc 65 1f 3c 13 a7 57-92 a5 cc d9 39 05 41 9d
> ..e.<..W....9.A.
> 00a0 - 9c 3f 94 d8 .?..
>
> Start Time: 1415648909
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Also, if I run the commands under truss I see that the file
> /etc/ssl/cert.pem is not being opened when I do not specify the option
> on the command line ...
>
> # truss openssl s_client -connect www.google.com:443
> ...
> open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
> directory'
> open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
> directory'
> open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3)
> fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0
> (0x0)
> read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1)
> read(3,0x80186e000,32768) = 0 (0x0)
> close(3) = 0 (0x0)
> sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t
> }) = 0 (0x0)
> issetugid(0x7fffffffd2c0,0xc8,0x1,0x7fffffffd538,0x0,0x800c82648) = 0 (0x0)
> issetugid(0x7fffffffdf5a,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0)
> stat("/root/.rnd",0x7fffffffce08) ERR#2 'No such file or
> directory'
> getpid() = 16324 (0x3fc4)
> __sysctl(0x7fffffffd1c8,0x2,0x7fffffffd128,0x7fffffffd1c0,0x0,0x0) = 0
> (0x0)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> getpid() = 16324 (0x3fc4)
> issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0)
> open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3)
> fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0)
> read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23)
> read(3,0x8018b3000,32768) = 0 (0x0)
> close(3) = 0 (0x0)
> issetugid(0x0,0x8018009c0,0x14,0x3,0x7fffffffc2b0,0x801801068) = 0 (0x0)
> stat("/etc/nsswitch.conf",{ mode=-rw-r--r--
> ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0)
> open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3)
> ioctl(3,TIOCGETA,0xffffca80) ERR#25 'Inappropriate
> ioctl for device'
> fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0
> (0x0)
> read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144)
> read(3,0x8018b3000,32768) = 0 (0x0)
>
> ... and it is being opened when I do specify the option on the command
> line ...
>
> # truss openssl s_client -CApath /etc/ssl/cert.pem -connect
> www.google.com:443
> ...
> open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
> directory'
> open("/dev/crypto",O_RDWR,00) ERR#2 'No such file or
> directory'
> open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3)
> fstat(3,{ mode=-rw-r--r-- ,inode=1123703,size=10929,blksize=32768 }) = 0
> (0x0)
> read(3,"# $FreeBSD: release/10.0.0/crypt"...,32768) = 10929 (0x2ab1)
> read(3,0x80186e000,32768) = 0 (0x0)
> close(3) = 0 (0x0)
> sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_IGN SA_RESTART ss_t
> }) = 0 (0x0)
> issetugid(0x7fffffffd290,0xc8,0x1,0x7fffffffd508,0x0,0x800c82648) = 0 (0x0)
> issetugid(0x7fffffffdf5c,0x800c642bf,0x8,0x52,0x0,0x800c82648) = 0 (0x0)
> stat("/root/.rnd",0x7fffffffcdd8) ERR#2 'No such file or
> directory'
> getpid() = 16371 (0x3ff3)
> __sysctl(0x7fffffffd198,0x2,0x7fffffffd0f8,0x7fffffffd190,0x0,0x0) = 0
> (0x0)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> getpid() = 16371 (0x3ff3)
> open("/etc/ssl/cert.pem",O_RDONLY,0666) = 3 (0x3)
> fstat(3,{ mode=-rw-r--r-- ,inode=1052618,size=908574,blksize=32768 }) =
> 0 (0x0)
> read(3,"##\n## ca-root-nss.crt -- Bundl"...,32768) = 32768 (0x8000)
> madvise(0x80186a000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x8018a1000,0x4000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x8018ac000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x8018bc000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x8018cd000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x8018df000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x801900000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x8018017a0,0x80127cb10)
> = 0 (0x0)
> madvise(0x801875000,0x1000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10)
> = 0 (0x0)
> madvise(0x801887000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x801800c48,0x80127cb10)
> = 0 (0x0)
> read(3," 42:68:ac:a0:bd:4e:5a:da:18:bf:6"...,32768) = 32768 (0x8000)
> read(3,":9a:9b:bb:\n "...,32768) = 32768 (0x8000)
> read(3," 17:7d:a0:f9:b4:dd:c5:c5:eb"...,32768) = 32768 (0x8000)
> madvise(0x8018ba000,0x6000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
> = 0 (0x0)
> madvise(0x8018f1000,0xc000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
> = 0 (0x0)
> madvise(0x80190e000,0x3000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
> = 0 (0x0)
> madvise(0x801921000,0x5000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
> = 0 (0x0)
> madvise(0x801936000,0x2000,0x5,0xaaaaaaaaaaaaaaab,0x7fffffffc770,0x80127cb10)
> = 0 (0x0)
> read(3,"c Constraints: critical\n "...,32768) = 32768 (0x8000)
> read(3,"DYu5Def131TN3ubY1gkIl2PlwS6w\nt0"...,32768) = 32768 (0x8000)
> read(3,"\nxvbxrN8y8NmBGuScvfaAFPDRLLmF9d"...,32768) = 32768 (0x8000)
> read(3,"f:1f:31:9c:\n "...,32768) = 32768 (0x8000)
> read(3,"igiCert Inc, OU=www.digicert.com"...,32768) = 32768 (0x8000)
> read(3,"93:36:85:23:88:8a:3c:03:68:d3:c9"...,32768) = 32768 (0x8000)
> read(3,"orzAzu8T2bgmmkTPiab+ci2hC6X5L8GC"...,32768) = 32768 (0x8000)
> read(3,"2zsmWLIodz2uFHdh\n1voqZiegDfqnc1"...,32768) = 32768 (0x8000)
> read(3,"hUNfBvitbtaSeodlyWL0AG0y/YckUHUW"...,32768) = 32768 (0x8000)
> read(3," CA:TRUE\n Signatu"...,32768) = 32768 (0x8000)
> read(3,":22:d7:8b:0b:\n "...,32768) = 32768 (0x8000)
> read(3," 6b:53:7f:db:df:df:f3:71:3d:26:"...,32768) = 32768 (0x8000)
> read(3,"f:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:"...,32768) = 32768 (0x8000)
> read(3,":57:d2:b0:0a:\n "...,32768) = 32768 (0x8000)
> read(3," X509v3 CRL Distribution Po"...,32768) = 32768 (0x8000)
> read(3,"60:45:f2:31:eb:a9:31:\n "...,32768) = 32768 (0x8000)
> read(3,"4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQ"...,32768) = 32768 (0x8000)
> read(3,"9:28:a7:\n 2e"...,32768) = 32768 (0x8000)
> read(3,"A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/"...,32768) = 32768 (0x8000)
> read(3,"4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3G"...,32768) = 32768 (0x8000)
> read(3,"QUFADCBvjE/MD0GA1UEAww2VMOc\nUkt"...,32768) = 32768 (0x8000)
> read(3,"dq6hw2v+vPhwvCkxWeM\n1tZUOt4KpLo"...,32768) = 32768 (0x8000)
> read(3," Exponent: 65537 (0x10001"...,32768) = 32768 (0x8000)
> read(3,":35:88:67:74:57:e3:df:8c:b8:a7:7"...,32768) = 23838 (0x5d1e)
> read(3,0x801899000,32768) = 0 (0x0)
> close(3) = 0 (0x0)
> getpid() = 16371 (0x3ff3)
> issetugid(0x0,0x80,0x10,0x2,0x368,0x1) = 0 (0x0)
> open("/etc/resolv.conf",O_CLOEXEC,0666) = 3 (0x3)
> fstat(3,{ mode=-rw-r--r-- ,inode=1123958,size=35,blksize=32768 }) = 0 (0x0)
> read(3,"search cn.bf\nnameserver 10.16.6"...,32768) = 35 (0x23)
> read(3,0x801931000,32768) = 0 (0x0)
> close(3) = 0 (0x0)
> issetugid(0x0,0x801801cf8,0x33,0x3,0x7fffffffc280,0x801801c38) = 0 (0x0)
> stat("/etc/nsswitch.conf",{ mode=-rw-r--r--
> ,inode=1123624,size=324,blksize=32768 }) = 0 (0x0)
> open("/etc/nsswitch.conf",O_CLOEXEC,0666) = 3 (0x3)
> ioctl(3,TIOCGETA,0xffffca50) ERR#25 'Inappropriate
> ioctl for device'
> fstat(3,{ mode=-rw-r--r-- ,inode=1123624,size=324,blksize=32768 }) = 0
> (0x0)
> read(3,"#\n# nsswitch.conf(5) - name ser"...,32768) = 324 (0x144)
> read(3,0x801931000,32768) = 0 (0x0)
>
> This is the only copy of openssl on my system ...
>
> # whereis openssl
> openssl: /usr/bin/openssl /usr/share/openssl/man/man1/openssl.1.gz
>
> Did something change with the FreeBSD 10 configuration of OpenSSL? At
> first I thought it was a problem with this particular host, but I've
> been able to reproduce the problem on 3 different 10.x hosts I've tested
> so far. I don't see how an unmodified program will pickup the default
> system CA file unless that problem has an option to explicitly hand in
> the path. Was this intended?
>
> Thanks in advance,
>
> -Matthew
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54614A31.8030209>