SSL_CERT_FILE environmental variable not honored?

Jeffrey Walton Wed, 02 Oct 2013 14:11:59 -0700

Hi All,

I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
then connected to api.pagepeeker.com, which uses StartCom.


When I use s_client and -CAfile, the verification completes
successfully. When I use c_client and SSL_CERT_FILE, verification
fails with "Verify return code: 19 (self signed certificate in
certificate chain)".

x509_def.c and by_file.c looks OK to me (but I did not step it under
the debugger). Yet appears SSL_CERT_FILE is not honored.

Are there any workarounds?

Jeff

**********

When I run `openssl s_client` with `-CAfile`, the fetch works as expected:

riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
api.pagepeeker.com:443 -CAfile startcom-ca-bundle.pem
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN =
api.pagepeeker.com, emailAddress = alexandru.flore...@gmail.com
verify return:1
---
Certificate chain
 0 
s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
<SNIP>
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5552 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: <SNIP>

    Start Time: 1380708844
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

**********
When I run `openssl s_client` with `SSL_CERT_FILE`, the fetch fails
due due a self signed certificate:

riemann::~$ export SSL_CERT_FILE=`pwd`/startcom-ca-bundle.pem
riemann::~$ echo $SSL_CERT_FILE
/Users/jwalton/startcom-ca-bundle.pem
riemann::~$ ls *.pem
startcom-ca-bundle.pem
riemann::~$ echo "GET / HTTP\1.1" | openssl s_client -connect
api.pagepeeker.com:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 
s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
<SNIP>
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.flore...@gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5552 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: <SNIP>

    Start Time: 1380746687
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

SSL_CERT_FILE environmental variable not honored?

Reply via email to