LibreSSL s_client certificate verification and -CApath

Sun, 28 Dec 2014 13:18:06 -0800 

OpenBSD 5.6, LibreSSL 2.0.

Passing any arbitrary value to the -CApath flag of openssl s_client
appears to successfully verify the server certificate. To reproduce:

$ openssl s_client -quiet -connect google.com:443
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0

$ 

$ openssl s_client -quiet -connect google.com:443 -CApath /etc/ssl
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN
= *.google.com
verify return:1

$ ls /etc/asdf
ls: /etc/asdf: No such file or directory

$ openssl s_client -quiet -connect google.com:443 -CApath /etc/asdf
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN
= *.google.com
verify return:1

In contrast, the -CAfile option appears to work as intended:

$ openssl s_client -quiet -connect google.com:443 -CAfile /etc/ssl/cert.pem
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN
= *.google.com
verify return:1

$ openssl s_client -quiet -connect google.com:443 -CAfile /etc/asdf
22559972736860:error:02001002:system library:fopen:No such file or
directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:122:fopen('/etc/asdf',
'r')
22559972736860:error:2006D080:BIO routines:BIO_new_file:no such
file:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:125:
22559972736860:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system
lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/by_file.c:260:
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0

Please let me know if any additional information would be useful.

-Brian

Reply via email to