On Wed, Apr 23, 2014 at 11:09:59PM -0400, Helmut Tessarek wrote:
> Every time I run "openssl s_client -connect example.com:443", I get a
> "Verify return code: 20 (unable to get local issuer certificate)".
>
> It works, if I specify a -CAfile. The problem is I have to specify this
> _every_ time I run the command.
>
> Would you accept a patch that uses ${OPENSSLDIR}/cert.pem as default for
> -CAfile ? Or whatever you think might be better, e.g. ca-bundle.crt.
In my view it is a feature that s_client verification is not
dependent on some unpredictable "bundle" created by some O/S
distribution that may be approximately compatible with the policy
of some particular browser or set of browsers.
The s_client command is not an end-user application, it is a testing
tool, and should do precisely what is asked of it, no more and no
less. To me that means no unsolicited trusted CAs.
My strong preference is to keep the current behaviour.
> I do understand that openssl does not supply a root CA bundle, but most
> systems have one installed. A lot of admins set a link or copy that bundle
> into ${OPENSSLDIR}. It does not really help though, since you always have to
> specify it via the -CAfile parameter.
Use a shell script wrapper when you want system-default trust anchors:
#! /bin/sh
CAfile=/etc/ssl/certs.pem
CApath=/etc/ssh/certs/
exec openssl s_client -CAfile "$CAfile" -CApath "$CApath" "$@"
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
