Re: SSL is broken on FreeBSD



On Fri, Apr 01, 2011 at 03:32:51PM +0100, István wrote:
FreeBSD ships OpenSSL but it is broken because there is no CA. Right,
it is like shipping a car without wheels, I suppose.

While I agree somewhat with your sentiment, SSL is not necessarily
broken without CA certificates, as it's completely possible to do TOFU
verification ala SSH.

However, I think it's an appropriate time to mention again that there is
at least one place in base that does indeed have broken SSL support,
namely libfetch. To do SSL properly, you can do CA certificate
verification or you can do TOFU, but libfetch still accepts any
certificate it encounters, without user warning.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages