I built openssl 1.0.2 from the tar.gz file. I am trying to verify a connection, but TLS does not find the ca-bundle.crt unless it is on the command line: /usr/local/openssl/bin/openssl s_client -showcerts -connect mta3.edu:25 -starttls smtp New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 653E180E0E46DB0E2B268F2FB7AB583B66F31269AD7F073FF23531C14A7DAE66 Session-ID-ctx: Master-Key: 7D54E27BFBAC1422F3C23055359E222DE1865A71F8DD7CF0B9FAAE2CEBA8D3EE17AA27A183206B814EDA0016EA699020 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1571773604 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) /usr/local/openssl/bin/openssl s_client -showcerts -CAfile /usr/local/openssl/ssl/certs/ca-bundle.crt -connect mta3.edu:25 -starttls smtp New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 68EB6663064D12857FFFB061F29BF4DFB081A8322A30AF292E8CC88CEE5F7B47 Session-ID-ctx: Master-Key: 5FF67384CB91433D39ACA430E4AD447A3C854B865A8E71FB46AAD79C5CCFB56B2FB57AFED08FA73227BCFBFDE0633C85 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1571773646 Timeout : 300 (sec) Verify return code: 0 (ok) “Why does <SSL program> faile with a certificate verify error?” faq says: this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. I can’t find documentation on how to tell TLS where to look. I’ve tried placing ca-bundle.crt in /usr/local/openssl/ssl/certs/ /etc/pki/tls/certs Any pointers appreciated. Anne |