openssl s_client behaves strangely without CAPath
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: openssl
1) lsb_release -rd
Description: Ubuntu 8.04.2
Release: 8.04
2) apt-cache policy openssl
openssl:
Installed: 0.9.8g-4ubuntu3.7
Candidate: 0.9.8g-4ubuntu3.7
Version table:
*** 0.9.8g-4ubuntu3.7 0
500 http://
500 http://
100 /var/lib/
0.
500 http://
3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
4) example output:
Bad behaviour:
openssl s_client -quiet -connect gmail.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Bad behaviour:
openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=US/ST=
verify return:1
It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all
Thanks for the report. This is the expected behavior of the openssl commandline tool -- it does not presume to select a set of CAs by default.