Red Hat Bugzilla – Bug 450987
should /etc/pki/tls/certs/ca-bundle.crt not be the default one used?
Last modified: 2010-10-22 21:52:16 EDT
Cloned for RHEL-5 to attach to an Issue Tracker ticket.
+++ This bug was initially created as a clone of Bug #418771 +++
Description of problem:
it seems that when I use "openssl s_client -connect ..." I need to explicitly
specify "-CAfile /etc/pki/tls/certs/ca-bundle.crt"
I was expecting that one to be used by default, but maybe my expectations are
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. use claws-mail
2. get a new certificate from your email server
3. be completely paranoid that a cert that claims to be signed by verisign
verification with "unable to get local issuer certificate"
it turns out that
openssl s_client -connect mail.kolumbus.fi:993
will fail with the error above, while
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect
tells me "Verify return code: 0 (ok)"
I would expect not to have to manually specify the system-wide default
ca-bundle, and it seems claws-email has the same expectations.
-- Additional comment from email@example.com on 2007-12-12 14:09 EST --
The openssl s_client case is a bug in openssl - note that openssl s_client
-CApath whatevernonexistent -connect .... will work fine.
But I have looked at the claws-mail sources and this bug doesn't apply there
it apparently does some certificate chain verification on its own so this bug
should be cloned for claws-mail if you want to have it fixed there too.
-- Additional comment from firstname.lastname@example.org on 2007-12-13 12:21 EST --
s_client/s_server will be fixed now. But claws-mail has to be fixed on its
-- Additional comment from email@example.com on 2008-05-16 11:26 EST --
confirm this is fixed in openssl-0.9.8g-6.fc9.i686
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.