Default CApath in Debian (OpenSSL 0.9.6c-2)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Default CApath in Debian (OpenSSL 0.9.6c-2)

Vaclav Stepan
Hi,

I ran in trouble with the following thing. There is a Debian woody,
with OpenSSL 0.9.6c installed. I am trying to set OpenSSL so it
per default uses CA certificates in /etc/ssl/certs (I want to force
Sylpheed to actually use a CA certificate to verify server certificate).

I put the CA files to /etc/ssl/certs and generated hash names.
If I do
 openssl s_client -CApath /etc/ssl -connect ...

then OpenSSL correctly finds the CA certificate and verifies the server
certificate (return code 0).

If I omit the CApath, using the default settins, the verification fails
with
 Verify return code: 21 (unable to verify the first certificate)

I searched Google and archives - the only relevant thing I found is
that if it is my client app, I may ask it to use some CA cert.

But how do I set a CApath per default?

Thanks for any hint

Vaclav Stepan
 --
Vaclav Stepan
[hidden email]
http://linux.fjfi.cvut.cz/~w/


--
Vaclav Stepan
[hidden email]
http://linux.fjfi.cvut.cz/~w/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Default CApath in Debian (OpenSSL 0.9.6c-2)

Lokesh Kumar
HI,

Pls check man page of SSL_load_verify_locations(...) which can be used
in writing the server or client program.

-Lokesh.


On 6/1/05, Vaclav Stepan <[hidden email]> wrote:

> Hi,
>
> I ran in trouble with the following thing. There is a Debian woody,
> with OpenSSL 0.9.6c installed. I am trying to set OpenSSL so it
> per default uses CA certificates in /etc/ssl/certs (I want to force
> Sylpheed to actually use a CA certificate to verify server certificate).
>
> I put the CA files to /etc/ssl/certs and generated hash names.
> If I do
>  openssl s_client -CApath /etc/ssl -connect ...
>
> then OpenSSL correctly finds the CA certificate and verifies the server
> certificate (return code 0).
>
> If I omit the CApath, using the default settins, the verification fails
> with
>  Verify return code: 21 (unable to verify the first certificate)
>
> I searched Google and archives - the only relevant thing I found is
> that if it is my client app, I may ask it to use some CA cert.
>
> But how do I set a CApath per default?
>
> Thanks for any hint
>
> Vaclav Stepan
>  --
> Vaclav Stepan
> [hidden email]
> http://linux.fjfi.cvut.cz/~w/
>
>
> --
> Vaclav Stepan
> [hidden email]
> http://linux.fjfi.cvut.cz/~w/
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Default CApath in Debian (OpenSSL 0.9.6c-2)

Vaclav Stepan
Hi,

I was looking for a system-wide setting via openssl.cnf, but it seems
that there is not any. Thank you for the hint, I will adapt the client
program.

Vaclav Stepan
--
Vaclav Stepan
[hidden email]
http://linux.fjfi.cvut.cz/~w/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]