Openssl not find certificates unless specified with -CAfile

opensslssl-certificatessl-certificate-errors

I'm struggling with openssl since some days.

I've compiled openssl on an ARM device and when I run openssl s_client -connect google.com:443 the connection will fail with error 20: unable to get local issuer certificate.

If I run that command specifying -CAfile /etc/ssl/certs/ca-certificates.crt the connection will work and returns verify return code: 0 (ok).
Another test that I've done is to run the command with -CApath /etc/ssl/certs/, in this case I will still got error 20

Since OPENSSLDIR is /usr/lib/ssl I've managed to link it to /etc/ssl/certs, now in the filesystem that directory looks like this:

ls -l /usr/lib/ssl
certs -> /etc/ssl/certs

I'm not figuring out what I'm missing and how to set the directory in which openssl has to look for certificates.
Has someone had a similar issue?

Best Answer

The directory specified in CApath must have a special structure. From OpenSSL docs

If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility to create the necessary links

If I am not wrong, you could use a directory as CApath if:

It contains files in pem format containing an authority in each file.
You run c_rehash (or create manually the appropriate symbolic links) in it.

Best Answer

Related Solutions

Debian – SSL connection hangs as client hello (curl, openssl client, apt-get, wget, everything)

CentOS 5 – Adding Root Certificate to CentOS 5

Related Topic