> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton > Sent: Wednesday, October 02, 2013 16:57
> I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I > then connected to api.pagepeeker.com, which uses StartCom. > Aside: you don't actually need the whole bundle, only the root, because that server correctly sends theneeded chain certs. But no harm done. > When I use s_client and -CAfile, the verification completes > successfully. When I use c_client and SSL_CERT_FILE, verification > fails with "Verify return code: 19 (self signed certificate in > certificate chain)". > > x509_def.c and by_file.c looks OK to me (but I did not step it under > the debugger). Yet appears SSL_CERT_FILE is not honored. > Durn, you're right. I have almost never wanted the envvars for commandline, and apparently few people if any have tried this case. SSL_CTX_set_default_verify_paths should indeed use the env vars (FILE and/or DIR) if it is called -- but s_client doesn't call it, because it tries _load_verify_locations first (always) and that returns 0 for either error OR both arguments null (as they are) and that's the left side of a || so the call to _default_ doesn't get executed. s_server and s_time do the same thing; all the other commandline utilities don't use libssl or even X509_STORE_load_ locations and _set_default_paths, but instead set the CAfile-or-default and CApath-or-default lookups separately, which works. > Are there any workarounds? > You've already found using -CAfile. Instead of s_client, use another program that does set the defaults when needed. Patch s_client to set the defaults when needed (when commandline isn't specified). I think the clearest though verbose way would be something like: if( CAfile!=NULL || CApath != NULL ) if( ! SSL_CTX_load_verify_locations (ctx,CAfile,CApath) error else /* no arguments use defaults */ if( ! SSL_CTX_default_verify_paths (ctx) error It would also be possible to do something trickier like if( CAfile||CApath? ! _locations(,CAfile,CApath) : ! _defaults () ) error or maybe better all-round (and more consistent to the user) just skip the SSL API and use setup_verify in apps.c to call X509_STORE/LOOKUP directly. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
