Ah you are correct. My initial install of openssl was using /usr/lib/ssl as its directory but when I upgraded to 1.1 it changed to /usr/local/ssl which escaped my notice. I created the appropriate symlink and can confirm the issue is fixed. Thanks, Ben On 11/10/16, 10:24 AM, "openssl-users on behalf of Viktor Dukhovni" <openssl-users-bounces@xxxxxxxxxxx on behalf of openssl-users@xxxxxxxxxxxx> wrote: > >> On Nov 10, 2016, at 12:25 PM, Benjamin Flynn >><Benjamin.Flynn@xxxxxxxxxxxxxxxx> wrote: >> >> ### Failure when CAfile not specified >> >> $ openssl s_client -connect bigfishgames-a.akamaihd.net:443 >> CONNECTED(00000003) >> depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore >>CyberTrust Root >> verify error:num=20:unable to get local issuer certificate >> --- >> Certificate chain >> 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies >>Inc./CN=a248.e.akamai.net >> i:/C=NL/L=Amsterdam/O=Verizon Enterprise >>Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2 >> 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise >>Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2 >> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root >> 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root >> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE >>CyberTrust Global Root >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> ... >> -----END CERTIFICATE----- >> subject=/C=US/ST=MA/L=Cambridge/O=Akamai Technologies >>Inc./CN=a248.e.akamai.net >> issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise >>Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2 >> --- >> No client certificate CA names sent >> Peer signing digest: SHA512 >> Server Temp Key: ECDH, P-256, 256 bits >> --- >> SSL handshake has read 4491 bytes and written 302 bytes >> Verification error: unable to get local issuer certificate >> --- >> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 >> Server public key is 2048 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : ECDHE-RSA-AES256-GCM-SHA384 >> Session-ID: >>CAA6B55CF1160CF74DF986563E56CFCB11A24B2CDB35480048885F2B88B4947F >> Session-ID-ctx: >> Master-Key: >>3AAC7100740F1A670EC8A63C9AD93656A3704C80CCFF1BD6554F4F055CF35DEEF1AAE9F49 >>87465732E347A6E0E00CEDF >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> TLS session ticket lifetime hint: 7200 (seconds) >> TLS session ticket: >> 0000 - 6a 1c 2d 9a f7 6b 30 c0-09 47 f9 2f 24 9a 01 79 >>j.-..k0..G./$..y >> 0010 - cd f5 07 a7 9d 02 76 21-ab d3 dc df 88 97 ae d1 >>......v!........ >> 0020 - 51 f1 c0 a0 e6 01 cc a6-5b 08 a8 61 a6 2b f0 66 >>Q.......[..a.+.f >> 0030 - 31 fa a1 d2 b6 0c 5d 1d-d5 58 ff 6c 5e 27 bd a2 >>1.....]..X.l^'.. >> 0040 - c8 66 c4 af 9d 5d 55 93-8d e1 28 cb 77 32 0b 7f >>.f...]U...(.w2.. >> 0050 - f5 74 cc 6f 56 c3 40 f2-91 65 72 6a b5 84 4b 08 >>.t.oV.@xxxxx..K. >> 0060 - 2c bd cc fd e5 93 c7 a3-82 67 a5 70 47 16 f7 bc >>,........g.pG... >> 0070 - d5 1a 8a e3 1c 10 c4 21-86 06 58 44 ef c3 be ab >>.......!..XD.... >> 0080 - 72 8a f3 89 98 5f 85 79-b2 0c 92 0f 4a a6 f2 99 >>r...._.y....J... >> 0090 - bb 8c 50 a0 63 b6 29 9e-8e 03 f1 f9 41 bb 42 97 >>..P.c.).....A.B. >> >> Start Time: 1478797302 >> Timeout : 7200 (sec) >> Verify return code: 20 (unable to get local issuer certificate) >> Extended master secret: no > >I am rather perplexed as to why you might expect verification success >with no trusted CAs specified... What you report is exactly what should >happen, unless: > >> /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE >>CyberTrust Global Root > > >appears in the default system-wide CApath or CAfile locations as reported >by > > $ openssl version -d > >to which path you can append either "/certs" or "cert.pem" to yield >CApath or CAfie respectively. > > SSL_CTX_load_verify_locations(3): > > SSL_CTX_set_default_verify_paths() specifies that the default >locations > from which CA certificates are loaded should be used. There is one > default directory and one default file. The default CA certificates > directory is called "certs" in the default OpenSSL directory. > Alternatively the SSL_CERT_DIR environment variable can be defined >to > override this location. The default CA certificates file is called > "cert.pem" in the default OpenSSL directory. Alternatively the > SSL_CERT_FILE environment variable can be defined to override this > location. > >> $ openssl s_client -connect bigfishgames-a.akamaihd.net:443 -CAfile >>/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem > >Presumably that file's parent directory (/etc/ssl/certs) is not the same >as >the directory as reported by "openssl -d" for the executable you're >testing. > >-- > Viktor. > >-- >openssl-users mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Big Fish Games, Inc. A New Game Every Day! (R) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
