Bug 1019964 - socat: should use the system certificate store by default
Summary: socat: should use the system certificate store by default
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: socat
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1019961
TreeView+ depends on / blocked
 
Reported: 2013-10-16 17:16 UTC by Florian Weimer
Modified: 2018-11-13 10:55 UTC (History)
3 users (show)

Fixed In Version: 1.7.3.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-13 10:55:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Florian Weimer 2013-10-16 17:16:21 UTC 
Just calling SSL_CTX_set_default_verify_paths() if neither the capath nor cafile options are specified should be sufficient.

Test case:  This should download the Bugzilla front page:

$ socat readline OPENSSL:bugzilla.redhat.com:443
GET / HTTP/1.0
<just press enter>

Failure looks like this:

$ socat readline OPENSSL:bugzilla.redhat.com:443
2013/10/16 17:34:33 socat[23714] E SSL_connect(): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Comment 2 Gerhard 2014-04-03 11:03:12 UTC 
This improvement will come with the next upstream feature release.
Comment 4 Gerhard 2015-01-24 20:35:32 UTC 
Scoat version 1.7.3.0 per default uses the system certificate store.
Comment 6 Paul Wouters 2018-11-13 10:55:33 UTC 
This bug is addressed by ERRATA RHBA-2017:2049-03 socat bug fix update

https://errata.devel.redhat.com/advisory/26967
Note You need to log in before you can comment on or make changes to this bug.