openssl 1.0.2 with TLS 1.2

Anne M. Hammond hammond at txcorp.com
Tue Oct 22 22:56:49 UTC 2019 

I built openssl 1.0.2 from the tar.gz file.

I am trying to verify a connection, but TLS does not find the ca-bundle.crt unless it is on the command line:

/usr/local/openssl/bin/openssl s_client -showcerts  -connect mta3.edu:25 -starttls smtp

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 653E180E0E46DB0E2B268F2FB7AB583B66F31269AD7F073FF23531C14A7DAE66
    Session-ID-ctx: 
    Master-Key: 7D54E27BFBAC1422F3C23055359E222DE1865A71F8DD7CF0B9FAAE2CEBA8D3EE17AA27A183206B814EDA0016EA699020
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1571773604
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)


/usr/local/openssl/bin/openssl s_client -showcerts -CAfile /usr/local/openssl/ssl/certs/ca-bundle.crt -connect mta3.edu:25 -starttls smtp

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 68EB6663064D12857FFFB061F29BF4DFB081A8322A30AF292E8CC88CEE5F7B47
    Session-ID-ctx: 
    Master-Key: 5FF67384CB91433D39ACA430E4AD447A3C854B865A8E71FB46AAD79C5CCFB56B2FB57AFED08FA73227BCFBFDE0633C85
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1571773646
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


“Why does <SSL program> faile with a certificate verify error?” faq says:
this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it.

I can’t find documentation on how to tell TLS where to look.

I’ve tried placing ca-bundle.crt in
/usr/local/openssl/ssl/certs/
/etc/pki/tls/certs

Any pointers appreciated.

Anne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191022/dff3ec6d/attachment.html>

More information about the openssl-users mailing list