Cloned for RHEL-5 to attach to an Issue Tracker ticket. +++ This bug was initially created as a clone of Bug #418771 +++ Description of problem: it seems that when I use "openssl s_client -connect ..." I need to explicitly specify "-CAfile /etc/pki/tls/certs/ca-bundle.crt" I was expecting that one to be used by default, but maybe my expectations are just wrong Version-Release number of selected component (if applicable): openssl-0.9.8b-17.fc8 How reproducible: always Steps to Reproduce: 1. use claws-mail 2. get a new certificate from your email server 3. be completely paranoid that a cert that claims to be signed by verisign fails verification with "unable to get local issuer certificate" 4. debug Actual results: it turns out that openssl s_client -connect mail.kolumbus.fi:993 will fail with the error above, while openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect mail.kolumbus.fi:993 tells me "Verify return code: 0 (ok)" Expected results: I would expect not to have to manually specify the system-wide default ca-bundle, and it seems claws-email has the same expectations. Additional info: -- Additional comment from tmraz on 2007-12-12 14:09 EST -- The openssl s_client case is a bug in openssl - note that openssl s_client -CApath whatevernonexistent -connect .... will work fine. But I have looked at the claws-mail sources and this bug doesn't apply there and it apparently does some certificate chain verification on its own so this bug should be cloned for claws-mail if you want to have it fixed there too. -- Additional comment from tmraz on 2007-12-13 12:21 EST -- s_client/s_server will be fixed now. But claws-mail has to be fixed on its own. -- Additional comment from pcfe on 2008-05-16 11:26 EST -- confirm this is fixed in openssl-0.9.8g-6.fc9.i686
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0181.html