I built openssl 1.0.2 from the tar.gz file.
I am trying to verify a connection, but TLS does not find the ca-bundle.crt
unless it is on the command line:
/usr/local/openssl/bin/openssl s_client -showcerts -connect mta3.edu:25
-starttls smtp
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 653E180E0E46DB0E2B268F2FB7AB583B66F31269AD7F073FF23531C14A7DAE66
Session-ID-ctx:
Master-Key:
7D54E27BFBAC1422F3C23055359E222DE1865A71F8DD7CF0B9FAAE2CEBA8D3EE17AA27A183206B814EDA0016EA699020
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571773604
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
/usr/local/openssl/bin/openssl s_client -showcerts -CAfile
/usr/local/openssl/ssl/certs/ca-bundle.crt -connect mta3.edu:25 -starttls smtp
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 68EB6663064D12857FFFB061F29BF4DFB081A8322A30AF292E8CC88CEE5F7B47
Session-ID-ctx:
Master-Key:
5FF67384CB91433D39ACA430E4AD447A3C854B865A8E71FB46AAD79C5CCFB56B2FB57AFED08FA73227BCFBFDE0633C85
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571773646
Timeout : 300 (sec)
Verify return code: 0 (ok)
“Why does <SSL program> faile with a certificate verify error?” faq says:
this typically means that the CA certificate must be placed in a directory or
file and the relevant program configured to read it.
I can’t find documentation on how to tell TLS where to look.
I’ve tried placing ca-bundle.crt in
/usr/local/openssl/ssl/certs/
/etc/pki/tls/certs
Any pointers appreciated.
Anne
