From owner-freebsd-ports Thu Oct 5 8:40: 6 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id AA60F37B66D for ; Thu, 5 Oct 2000 08:40:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id IAA25692; Thu, 5 Oct 2000 08:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from lion-around.at.yiff.net (lion-around.at.yiff.net [209.54.21.199]) by hub.freebsd.org (Postfix) with ESMTP id 4CFB737B503 for ; Thu, 5 Oct 2000 08:31:28 -0700 (PDT) Received: (from chris@localhost) by lion-around.at.yiff.net (8.11.0/8.11.0) id e95FVPA00798; Thu, 5 Oct 2000 11:31:25 -0400 (EDT) (envelope-from chris) Message-Id: <200010051531.e95FVPA00798@lion-around.at.yiff.net> Date: Thu, 5 Oct 2000 11:31:25 -0400 (EDT) From: chris@netmonger.net Reply-To: chris@netmonger.net To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/21770: security/ca-roots ca-root.crt installed in odd location? Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 21770 >Category: ports >Synopsis: ca-root.crt might be better in /etc/ssl/cert.pem >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 05 08:40:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Christopher Masto >Release: FreeBSD 5.0-CURRENT i386 >Organization: NetMonger Communications >Environment: >Description: The OpenSSL library that comes with FreeBSD seems to look for /etc/ssl/cert.pem as its default CAfile. /usr/ports/security/ca-roots installs /usr/local/share/certs/ca-root.crt. It is possible to modify applications to load that file instead, but by simply installing it as /etc/ssl/cert.pem instead, programs like mutt will automatically find and use it. >How-To-Repeat: Install the ca-roots port. Install mutt with the WITH_SSL option. Connect to an SSL-enabled IMAP server with a valid certificate signed by one of the CAs in ca-root.crt, and notice that mutt asks for manual verification. ln -s /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem and run mutt again. Notice that it is able to verify the certificate and accepts it automatically. >Fix: Either provide the symlink or simply install the file as /etc/ssl/cert.pem. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message