Cloning to RHEL-4 to attach to an Issue Tracker ticket. +++ This bug was initially created as a clone of Bug #418771 +++ Description of problem: it seems that when I use "openssl s_client -connect ..." I need to explicitly specify "-CAfile /etc/pki/tls/certs/ca-bundle.crt" I was expecting that one to be used by default, but maybe my expectations are just wrong Version-Release number of selected component (if applicable): openssl-0.9.8b-17.fc8 How reproducible: always Steps to Reproduce: 1. use claws-mail 2. get a new certificate from your email server 3. be completely paranoid that a cert that claims to be signed by verisign fails verification with "unable to get local issuer certificate" 4. debug Actual results: it turns out that openssl s_client -connect mail.kolumbus.fi:993 will fail with the error above, while openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect mail.kolumbus.fi:993 tells me "Verify return code: 0 (ok)" Expected results: I would expect not to have to manually specify the system-wide default ca-bundle, and it seems claws-email has the same expectations. Additional info: -- Additional comment from tmraz on 2007-12-12 14:09 EST -- The openssl s_client case is a bug in openssl - note that openssl s_client -CApath whatevernonexistent -connect .... will work fine. But I have looked at the claws-mail sources and this bug doesn't apply there and it apparently does some certificate chain verification on its own so this bug should be cloned for claws-mail if you want to have it fixed there too. -- Additional comment from tmraz on 2007-12-13 12:21 EST -- s_client/s_server will be fixed now. But claws-mail has to be fixed on its own. -- Additional comment from pcfe on 2008-05-16 11:26 EST -- confirm this is fixed in openssl-0.9.8g-6.fc9.i686
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
This is fixed in Red Hat Enterprise Linux 5 Update 4 openssl package.