>From: owner-openssl-us...@openssl.org On Behalf Of Ben White
>Sent: Monday, 10 September, 2012 06:17
<snip my previous advice, can't easily reformat>
>Calling openssl with the -CApath pointing to the certificate
>store resolves this issue, so it's definitely related to this.
>However, there seems to be a problem with the default settings.
>On my Fedora box this all just works without needing to specify
>-CApath. The built-in OPENSSLDIR contains the certificates.
>I copied this dir across onto my target device and put it in
>the OPENSSLDIR for the target (/usr/local/ssl), but it only works
>if I specify this explicitly via -CApath.
<snip: commandline version -d on each>
That's odd. s_client without -CApath should use the same dir as
-CApath OPENSSLDIR/certs (and similarly file OPENSSLDIR/cert.pem)
unless envvars SSL_CERT_{FILE,DIR} are set (confirm they aren't)
or something weird was done in the openssl build.
If the openssl build you're using on target isn't known/certain to
be from official (unpatched) source, and you can rebuild from source,
that might be worth a try. I presume you have the cross tools already
for your app, although openssl is a pretty complicated build and it
may need something your app doesn't; and you need a correct set of
flags (compiler,linker,etc) which you may have to create yourself.
You said openssl is 1.0.1c on both systems, so this isn't the issue
of the hashnames in a CApath changing between 0.9.8 and 1.0.0.
>Is there any way to have openssl spit out where it's looking for the
>certificate store? <snip>
Not specifically. If you can run under a debugger on your target
(hopefully with source) I'd try that. Or you may have OS-level tools
like strace that can do this (but often with a lot of clutter).
Otherwise you may be reduced to 1960-style batch debugging, by
changing the source to include printf or similar and rebuilding,
which in turn requires you can rebuild from source (see above).
Good luck.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
