Hrm, this behavior is a bit weird. Using -CApath seems to set -CAfile
to the the default of /etc/ssl/certs/ca-certificates.crt. Compare the
outputs of:
$ echo "" | strace -f -s 1024 -e trace=file openssl s_client -connect
www.google.com:443 2>&1 | egrep '^open|return code'
...
Verify return code: 20 (unable to get local issuer certificate)
$ echo "" | strace -f -s 1024 -e trace=file openssl s_client -connect
www.google.com:443 -CApath /dev/null 2>&1 | egrep '^open|return code'
...
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3
...
Verify return code: 0 (ok)
$ echo "" | strace -f -s 1024 -e trace=file openssl s_client -connect
www.google.com:443 -CAfile /dev/null 2>&1 | egrep '^open|return code'
...
open("/dev/null", O_RDONLY) = 3
...
Verify return code: 20 (unable to get local issuer certificate)
** Summary changed:
- openssl s_client doesn't look into the CAPath unless specified
+ openssl s_client behaves strangely without CAPath
** Changed in: openssl (Ubuntu)
Status: Invalid => Confirmed
** Changed in: openssl (Ubuntu)
Importance: Undecided => Low
--
openssl s_client behaves strangely without CAPath
https://bugs.launchpad.net/bugs/396818
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
