Date: Sat, 1 May 2010 13:16:49 +1000 From: John Marshall <john.marshall@riverwillow.com.au> To: freebsd-ports@freebsd.org Subject: OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different Message-ID: <20100501031649.GA1335@rwpc08>
next in thread | raw e-mail | index | archive | help
--bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I just spent quite a while trying to figure out what broke SSL certificate verification in my irc client after taking some brave pills and updating ports on my notebook. It turns out that OpenSSL 1.0.0 hashes certificates differently to earlier versions. That meant that applications looking in my /usr/local/openssl/certs directory couldn't find hashes for CA certificates because the hash links had been created with OpenSSL 0.9.8. =46rom the CHANGES file in the root of the OpenSSL 1.0.0 distribution: "Enhance the hash format used for certificate directory links. The new form uses the canonical encoding (meaning equivalent names will work even if they aren't identical) and uses SHA1 instead of MD5. This form is incompatible with the older format and as a result c_rehash should be used to rebuild symbolic links. [Steve Henson]" So, that's good to know but here's the really fun bit. Just running c_rehash won't fix it if you have openssl in the base system - because it picks up /usr/bin/openssl (old version, old hashes). The /usr/local/bin/c_rehash script relies on an environment variable to point it at anything other than the base openssl. So, if I set OPENSSL=3D/usr/local/bin/openssl in the environment and then run c_rehash, I get the "new" hashes and stuff works again. --=20 John Marshall --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvbnR4ACgkQw/tAaKKahKJSxQCeNZzFxTQwRrdSmjrt8nJI1yCW BukAoLLP/t5L/ZvnLiVrZzq/zJ+qoGxf =QxA3 -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100501031649.GA1335>