Bug 1019964

Summary: socat: should use the system certificate store by default
Product: Red Hat Enterprise Linux 7 Reporter: Florian Weimer <fweimer>
Component: socatAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: gerhard, jaster, omoris
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.7.3.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-13 10:55:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1019961    

Description Florian Weimer 2013-10-16 17:16:21 UTC 
Just calling SSL_CTX_set_default_verify_paths() if neither the capath nor cafile options are specified should be sufficient.

Test case:  This should download the Bugzilla front page:

$ socat readline OPENSSL:bugzilla.redhat.com:443
GET / HTTP/1.0
<just press enter>

Failure looks like this:

$ socat readline OPENSSL:bugzilla.redhat.com:443
2013/10/16 17:34:33 socat[23714] E SSL_connect(): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Comment 2 Gerhard 2014-04-03 11:03:12 UTC 
This improvement will come with the next upstream feature release.
Comment 4 Gerhard 2015-01-24 20:35:32 UTC 
Scoat version 1.7.3.0 per default uses the system certificate store.
Comment 6 Paul Wouters 2018-11-13 10:55:33 UTC 
This bug is addressed by ERRATA RHBA-2017:2049-03 socat bug fix update

https://errata.devel.redhat.com/advisory/26967