> > > > No, look at your output: the certificate chain is identical. > What differs is the result of verification against each system's > truststore, which is the set of CA (root) certs it trusts. > > Since you didn't specify -CAfile or -CAdir on s_client, > it's using (whatever is in) the default truststore, which > can be set by environment variables SSL_CERT_FILE/DIR > and otherwise defaults to a file or subdirectory in > OPENSSLDIR which is set at build time. If you installed > openssl on your dev system (Fedora) as a package, that > package may have installed some well-known CA certs in your > default store, or you may have installed some other package > that does so (I've heard curl does, and I think there are > others). Or if this system is shared, someone else did. > > If your app is calling SSL_CTX_set_default_verify_paths > it is defaulting similarly. > > For your target system you might first check whether there > is a package that includes, or adds, well-known CA certs. > If this is not the same package or packager as openssl, > be sure they agree on the location of OPENSSLDIR. > To do it yourself you should either put whatever CA certs > you decide are trusted -- or someone else you trust has decided > are trusted, such as Microsoft (Windows/IE) or Oracle (Java) -- > in its default truststore, if that is a location you can write. > Or, change your app to call SSL_CTX_set_verify_locations > specifying your own file and/or directory into which you > similarly put whatever CA certs you decide are trusted. > > Thanks a lot - that really helps.
Calling openssl with the -CApath pointing to the certificate store resolves this issue, so it's definitely related to this. However, there seems to be a problem with the default settings. On my Fedora box this all just works without needing to specify -CApath. The built-in OPENSSLDIR contains the certificates. I copied this dir across onto my target device and put it in the OPENSSLDIR for the target (/usr/local/ssl), but it only works if I specify this explicitly via -CApath. Fedora system: openssl version -d OPENSSLDIR: "/etc/pki/tls" ls /etc/pki/tls cert.pem certs misc openssl.cnf private Target system openssl version -d OPENSSLDIR: "/usr/local/ssl" ls /usr/local/ssl cert.pem certs misc openssl.cnf private Is there any way to have openssl spit out where it's looking for the certificate store? Ideally I don't want to have to specify any parameters in my client program since the code is mostly automatically generated by gSOAP. On my Fedora box it just picks up the defaults and works smoothly. I want the same behaviour on my target board. Thanks a lot, Ben