On 14/12/2016 08:30, 杨俊 wrote:
Hi openssl-er,
I'm newbie in the openssl.
Recently, I ported the openssl to my embedded linux device and ran the
openssl command.
But there was an error occured.
I had done google search a lot, but I didn't find the answer.
My issue is strange, my test steps like below:
1. copy the openssl, libs, cacert.pem to the embedded linux platform.
Does cacert.pem contain the CA certificate that issued the certificate for
https://curl.haxx.se ?
In general, the argument to -CAfile should be the concatenation of the PEM
format CA root certificates that your embedded platform wants to trust as
issuing trustworthy certificates for servers you will connect to.
Alternatively, the argument to -CApath should point to a directory
(traditionally named "/etc/ssl/certs") containing:
One PEM file with each such trusted CA certificate
The symlinks generated by the c_rehash script (these map simple checksums
of the certificate names to the file names containing CA certificates
with names with those checksums, this reduces memory consumption but
increases disk read operations).
If your embedded file system does not support symlinks, you can instead
rename the PEM files to the names of the symlinks that c_rehash generates
on a more full-blown development computer.
2. run the command:
/tmp #:./openssl s_client -connect curl.haxx.se:443
<http://curl.haxx.se:443> -CAfile /tmp/cacert.pem
3. the error log is
------log ----------------
CONNECTED(00000003)
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=anja.haxx.se <http://anja.haxx.se>
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
----------------------------------
4. my openssl version -d and version is
/tmp # ./openssl version
OpenSSL 1.1.0c 10 Nov 2016
/tmp # ./openssl version -d
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"
5. In my PC, I found this command worked well. It could return the ok
value.
Although the openssl version is 1.0.1f.
So I think my cacert.pem is right.
6. I also used other command like:
/tmp # ./openssl s_client -connect curl.haxx.se:443
<http://curl.haxx.se:443> -CApath /tmp/cacert.pem
/tmp # ./openssl s_client -CApath
/home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect
curl.haxx.se:443 <http://curl.haxx.se:443>
/tmp # ./openssl s_client -connect curl.haxx.se:443
<http://curl.haxx.se:443> -servername curl.haxx.se
<http://curl.haxx.se> -key /etc/ssl/private/ssl-cert-snakeoil.key
-CAfile /etc/ssl/certs/cacert.pem
But they are all NG.
In google, they all said -CAfile or -CApath could help, But it doesn't
work for me. >"<
Please help
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
