openssl 1.0.2 with TLS 1.2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl 1.0.2 with TLS 1.2

Anne M. Hammond
I built openssl 1.0.2 from the tar.gz file.

I am trying to verify a connection, but TLS does not find the ca-bundle.crt unless it is on the command line:

/usr/local/openssl/bin/openssl s_client -showcerts  -connect mta3.edu:25 -starttls smtp

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 653E180E0E46DB0E2B268F2FB7AB583B66F31269AD7F073FF23531C14A7DAE66
    Session-ID-ctx: 
    Master-Key: 7D54E27BFBAC1422F3C23055359E222DE1865A71F8DD7CF0B9FAAE2CEBA8D3EE17AA27A183206B814EDA0016EA699020
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1571773604
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)


/usr/local/openssl/bin/openssl s_client -showcerts -CAfile /usr/local/openssl/ssl/certs/ca-bundle.crt -connect mta3.edu:25 -starttls smtp

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 68EB6663064D12857FFFB061F29BF4DFB081A8322A30AF292E8CC88CEE5F7B47
    Session-ID-ctx: 
    Master-Key: 5FF67384CB91433D39ACA430E4AD447A3C854B865A8E71FB46AAD79C5CCFB56B2FB57AFED08FA73227BCFBFDE0633C85
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1571773646
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


“Why does <SSL program> faile with a certificate verify error?” faq says:
this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it.

I can’t find documentation on how to tell TLS where to look.

I’ve tried placing ca-bundle.crt in
/usr/local/openssl/ssl/certs/
/etc/pki/tls/certs

Any pointers appreciated.

Anne
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 with TLS 1.2

OpenSSL - User mailing list

 

  • I can’t find documentation on how to tell TLS where to look.

 

Not sure about 1.0.2, but “openssl version -a” should show you the CERT directory.

 

BTW, that’s an old release, you should upgrade if possible.

Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 with TLS 1.2

Anne M. Hammond
Thanks Rich.

openssl version -a


OPENSSLDIR: "/usr/local/openssl-1.0.2a/ssl"

—————
That tells me the dir openssl is looking in.

ls /usr/local/openssl-1.0.2a/ssl

total 36
drwxr-xr-x 6 root root  4096 2019-10-23 16:34 .
drwxr-xr-x 7 root root  4096 2019-10-22 12:27 ..
drwxr-xr-x 2 root root  4096 2019-10-22 13:23 certs
drwxr-xr-x 6 root root  4096 2019-10-21 16:01 man
drwxr-xr-x 2 root root  4096 2019-10-21 16:02 misc
-rw-r--r-- 1 root root 10835 2019-10-21 16:02 openssl.cnf
drwx------ 2 root root  4096 2019-10-21 16:29 private

ca-bundle.crt IS in certs.

On another system, where openssl s_client works, there is a link:

lrwxrwxrwx   1 root root    19 May 10  2015 cert.pem -> certs/ca-bundle.crt

I created this link in /usr/local/openssl-1.0.2a/ssl and now 
openssl s_client works on the system I am working on.

I will update to the newer version.  

Thank you for the pointer.