On Wed, Apr 23, 2014 at 11:09:59PM -0400, Helmut Tessarek wrote:
Every time I run openssl s_client -connect example.com:443, I get a
Verify return code: 20 (unable to get local issuer certificate).
It works, if I specify a -CAfile. The problem is I have to specify this
_every_ time I run the command.
Would you accept a patch that uses ${OPENSSLDIR}/cert.pem as default for
-CAfile ? Or whatever you think might be better, e.g. ca-bundle.crt.
In my view it is a feature that s_client verification is not
dependent on some unpredictable bundle created by some O/S
distribution that may be approximately compatible with the policy
of some particular browser or set of browsers.
The s_client command is not an end-user application, it is a testing
tool, and should do precisely what is asked of it, no more and no
less. To me that means no unsolicited trusted CAs.
My strong preference is to keep the current behaviour.
I do understand that openssl does not supply a root CA bundle, but most
systems have one installed. A lot of admins set a link or copy that bundle
into ${OPENSSLDIR}. It does not really help though, since you always have to
specify it via the -CAfile parameter.
Use a shell script wrapper when you want system-default trust anchors:
#! /bin/sh
CAfile=/etc/ssl/certs.pem
CApath=/etc/ssh/certs/
exec openssl s_client -CAfile $CAfile -CApath $CApath $@
--
Viktor.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
