From owner-freebsd-ports@FreeBSD.ORG Sat May 1 03:16:55 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 404C7106566B for ; Sat, 1 May 2010 03:16:55 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id 982FA8FC16 for ; Sat, 1 May 2010 03:16:54 +0000 (UTC) Received: from rwpc08 (riverw2.lnk.telstra.net [165.228.118.106]) (authenticated bits=0) by mail1.riverwillow.net.au (8.14.4/8.14.4) with ESMTP id o413Gnj5010145 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sat, 1 May 2010 13:16:50 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1272683811; bh=kax2Vko+kIDG+IzhCHhmhW5b6V7gwK+15uP+ZDCqYAM=; h=Date:From:To:Subject:Message-ID:Mime-Version:Content-Type; b=g8y4ZD8pxINC21tLVfcQWmk4OLUhPuYhUFAnkFeEOYhKz6imBFKnrcVvYjc3zMzxR pv0A3rpFsDs6XnvuoQBvg4L7teHjhVkB/emvahfr7TXu6Xl0tm4r0yl/nM5I/2DOLU 4EUJ0dabpvKWVoMJVUt5X0lZr2TxDsjLiH7tQFz0= Received: from rwpc08 (localhost [127.0.0.1]) by rwpc08 (8.14.3/8.14.3/Submit) with ESMTP id o413Gowm025629 for ; Sat, 1 May 2010 13:16:50 +1000 (AEST) (envelope-from john.marshall@riverwillow.com.au) Received: (from john@localhost) by rwpc08 (8.14.3/8.14.3/Submit) id o413GngA025628 for freebsd-ports@freebsd.org; Sat, 1 May 2010 13:16:49 +1000 (AEST) (envelope-from john) Date: Sat, 1 May 2010 13:16:49 +1000 From: John Marshall To: freebsd-ports@freebsd.org Message-ID: <20100501031649.GA1335@rwpc08> Mail-Followup-To: freebsd-ports@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i OpenPGP: id=A29A84A2 Subject: OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 May 2010 03:16:55 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I just spent quite a while trying to figure out what broke SSL certificate verification in my irc client after taking some brave pills and updating ports on my notebook. It turns out that OpenSSL 1.0.0 hashes certificates differently to earlier versions. That meant that applications looking in my /usr/local/openssl/certs directory couldn't find hashes for CA certificates because the hash links had been created with OpenSSL 0.9.8. =46rom the CHANGES file in the root of the OpenSSL 1.0.0 distribution: "Enhance the hash format used for certificate directory links. The new form uses the canonical encoding (meaning equivalent names will work even if they aren't identical) and uses SHA1 instead of MD5. This form is incompatible with the older format and as a result c_rehash should be used to rebuild symbolic links. [Steve Henson]" So, that's good to know but here's the really fun bit. Just running c_rehash won't fix it if you have openssl in the base system - because it picks up /usr/bin/openssl (old version, old hashes). The /usr/local/bin/c_rehash script relies on an environment variable to point it at anything other than the base openssl. So, if I set OPENSSL=3D/usr/local/bin/openssl in the environment and then run c_rehash, I get the "new" hashes and stuff works again. --=20 John Marshall --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvbnR4ACgkQw/tAaKKahKJSxQCeNZzFxTQwRrdSmjrt8nJI1yCW BukAoLLP/t5L/ZvnLiVrZzq/zJ+qoGxf =QxA3 -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--