<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I built openssl 1.0.2 from the tar.gz file.<div class=""><br class=""></div><div class="">I am trying to verify a connection, but TLS does not find the ca-bundle.crt unless it is on the command line:</div><div class=""><br class=""></div><div class="">/usr/local/openssl/bin/openssl s_client -showcerts  -connect <a href="http://mta3.edu" class="">mta3.edu</a>:25 -starttls smtp</div><div class=""><br class=""></div><div class="">New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br class="">Server public key is 2048 bit<br class="">Secure Renegotiation IS supported<br class="">Compression: NONE<br class="">Expansion: NONE<br class="">No ALPN negotiated<br class="">SSL-Session:<br class="">    Protocol  : TLSv1.2<br class="">    Cipher    : ECDHE-RSA-AES128-GCM-SHA256<br class="">    Session-ID: 653E180E0E46DB0E2B268F2FB7AB583B66F31269AD7F073FF23531C14A7DAE66<br class="">    Session-ID-ctx: <br class="">    Master-Key: 7D54E27BFBAC1422F3C23055359E222DE1865A71F8DD7CF0B9FAAE2CEBA8D3EE17AA27A183206B814EDA0016EA699020<br class="">    Key-Arg   : None<br class="">    PSK identity: None<br class="">    PSK identity hint: None<br class="">    SRP username: None<br class="">    Start Time: 1571773604<br class="">    Timeout   : 300 (sec)<br class="">    <b class="">Verify return code: 20 (unable to get local issuer certificate)</b><br class=""><br class=""></div><div class=""><br class=""></div><div class="">/usr/local/openssl/bin/openssl s_client -showcerts <b class="">-CAfile /usr/local/openssl/ssl/certs/ca-bundle.crt</b> -connect <a href="http://mta3.edu" class="">mta3.edu</a>:25 -starttls smtp</div><div class=""><br class=""></div><div class="">New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br class="">Server public key is 2048 bit<br class="">Secure Renegotiation IS supported<br class="">Compression: NONE<br class="">Expansion: NONE<br class="">No ALPN negotiated<br class="">SSL-Session:<br class="">    Protocol  : TLSv1.2<br class="">    Cipher    : ECDHE-RSA-AES128-GCM-SHA256<br class="">    Session-ID: 68EB6663064D12857FFFB061F29BF4DFB081A8322A30AF292E8CC88CEE5F7B47<br class="">    Session-ID-ctx: <br class="">    Master-Key: 5FF67384CB91433D39ACA430E4AD447A3C854B865A8E71FB46AAD79C5CCFB56B2FB57AFED08FA73227BCFBFDE0633C85<br class="">    Key-Arg   : None<br class="">    PSK identity: None<br class="">    PSK identity hint: None<br class="">    SRP username: None<br class="">    Start Time: 1571773646<br class="">    Timeout   : 300 (sec)<br class="">   <b class=""> Verify return code: 0 (ok)</b></div><div class=""><b class=""><br class=""></b></div><div class=""><b class=""><br class=""></b>“Why does <SSL program> faile with a certificate verify error?” faq says:</div><div class="">this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it.</div><div class=""><br class=""></div><div class="">I can’t find documentation on how to tell TLS where to look.</div><div class=""><br class=""></div><div class="">I’ve tried placing ca-bundle.crt in</div><div class="">/usr/local/openssl/ssl/certs/</div><div class="">/etc/pki/tls/certs</div><div class=""><br class=""></div><div class="">Any pointers appreciated.</div><div class=""><br class=""></div><div class="">Anne</div></body></html>