OpenSSL not using CA directory

Question

OpenSSL will not verify a cert

$openssl s_client -connect <host>:443
...
Verify return code: 21 (unable to verify the first certificate)

However, if we figure out the location of the store

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

$ ll /usr/lib/ssl
...
lrwxrwxrwx   1 root root    14 Sep  9 16:40 certs -> /etc/ssl/certs

And run the command again specifying what is apparently the default directory

$ openssl s_client -connect <host>:443 -CApath /etc/ssl/certs
...
Verify return code: 0 (ok)

So is there some other way to check explicitly where OpenSSL is getting its root CA list, or some other edge case that may be being hit here which would cause this behavior?

score 0 · Answer 1 · answered Oct 16 '13 at 00:07

Apparently I am just describing OpenSSL s_client's intended behavior - https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818

It seems like this command would be much more useful if it used the default CApath by, well, default (or warn that you are not using any, as the bug report suggests), but c'est le vie.

OpenSSL not using CA directory

1 Answers1