Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-15 Thread 杨俊 
Hi Jakob & Michael & openssler,

The openssl can work well now.
I just used the date command to reset my system time.
And then it can return OK value now.
Although I didn't try it in the latest openssl1.1.0c.
In my embedded linux device, I didn't initialize the time. And there is no
RTC.
This issue can be closed.

Thank you for all
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-15 Thread 杨俊 
Hi Jakob & Michael & opensslers,

I'm sorry to ask a stupid question.
That I found when I used the openssl1.0.1f, it said the error log:
--log--
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert.pem
CONNECTED(0003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=9:certificate is not yet valid
///new error
notBefore=Sep 30 21:12:19 2000 GMT
verify return:0
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
..
-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3148 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
FD6ABFB426CC33309DBEA4078A4D24A07D5A80A5093AB771504CEBEFDE022706
Session-ID-ctx:
Master-Key:
49725D111EC25DD193FB59E485CE32D5E0F3AD6E3269FF6617B2BC4E44ED7E4CCDDC6B05D799B69EA0FF6D974C54EBDE
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:

Start Time: 2002
 /// time 2002
Timeout   : 300 (sec)
Verify return code: 9 (certificate is not yet valid)
---
closed
-
Is this error occurred by the system clock of my platform?
Actually, I didn't do anything to synchronize time in my platform(no NTP).
Would this be a reason for my first issue and this issue?
I'm trying to do NTP now.

Thanks
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-15 Thread 杨俊 
 Hi Michael & opensslers,

> So: either there's more than one certificate in cacert-2016-11-02.pem, or
OpenSSL on the PC is searching its default CA certificate directory in
addition to cacert-2016-11-02.pem. Since we don't know what's > actually in
cacert-2016-11-02.pem, we can't provide much further help.

It seems there are many certificates in the cacert-2016-11-02.pem. A lot.
-cacert-2016-11-02.pem

GlobalSign Root CA
==
-BEGIN CERTIFICATE-
...
-END CERTIFICATE-

GlobalSign Root CA - R2
===
-BEGIN CERTIFICATE-
..
-END CERTIFICATE-

Verisign Class 3 Public Primary Certification Authority - G3

-BEGIN CERTIFICATE-

-END CERTIFICATE-

Entrust.net Premium 2048 Secure Server CA
=
-BEGIN CERTIFICATE-
...
-END CERTIFICATE-

Baltimore CyberTrust Root
=
-BEGIN CERTIFICATE-
...
-END CERTIFICATE-

..so on...

--


> Note that if there are multiple certificates in cacert-2016-11-02.pem,
you'll have to split them up into separate files and create the correct
hash link for each one, if you want to use a certificate directory.

Should I need to do this? >"<
Because other people(in the internet) used this pem file, have no problem.
They didn't  separate it. And there are so many certificates.
And is this step right ?
1. /tmp # ./openssl x509 -hash -fingerprint -noout -in
/home/georgeyang/workspace/speech_code/openssl/openssl/final
/certs/cacert-2016-11-02.pem
 5ad8a5d6
 SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:
A4:1D:82:9C
2. /etc/ssl/certs # ln -s /home/georgeyang/workspace/spe
ech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6.0
I will split them like this later.

> Did you actually capture that, or did you retype it? Because it's not
valid openssl x509 output. Note that it doesn't match what you reported
from the PC:
In the paltform, the openssl version is 1.1.0c.
And in my PC, the openssl version is 1.0.1f.
Today, I have rebuild the openssl1.0.1f for my paltform again.
Although it was still NG.
And the log is the same as the PC now:
/tmp # ./openssl x509 -subject -noout -in /home/georgeyang/workspace/
speech_code
/openssl/final/openssl/certs/cacert-2016-11-02.pem
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/tmp #

Thank you very much
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of ??
> Sent: Wednesday, December 14, 2016 07:53

> I get the log from the embedded linux device and my PC.
> Sorry, I don't get the deference in the platform, but there is some deference 
> between the platform and PC.

(You want "difference" there, not "deference". Just another of English's many 
homonyms and orthographic peculiarities.)

I just did a quick check, and it appears curl.haxx.se sends two certificates: 
the server certificate (signed by Let's Encrypt) and an intermediate (signed by 
Digital Signature Trust).

On the PC, s_client shows a chain of three certificates, ending in the DST 
root. That means OpenSSL found that root certificate somewhere - it didn't get 
it from the server, and it's not the first certificate in cacert-2016-11-02.pem.

So: either there's more than one certificate in cacert-2016-11-02.pem, or 
OpenSSL on the PC is searching its default CA certificate directory in addition 
to cacert-2016-11-02.pem. Since we don't know what's actually in 
cacert-2016-11-02.pem, we can't provide much further help.

Note that if there are multiple certificates in cacert-2016-11-02.pem, you'll 
have to split them up into separate files and create the correct hash link for 
each one, if you want to use a certificate directory.


Also, there's this from your previous note:

> /tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem 
> subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

Did you actually capture that, or did you retype it? Because it's not valid 
openssl x509 output. Note that it doesn't match what you reported from the PC:

> subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread 杨俊 
Hi Jakob & openssl-er,

> Just to be sure (sometimes OpenSSL checks its default -CApath even
> if you specify a -CAfile) try this command on the development machine:

> openssl x509 -subject -noout -in cacert.pem

> Compare to the deepest value from the screenshot above.


I get the log from the embedded linux device and my PC.
Sorry, I don't get the deference in the platform, but there is some
deference between the platform and PC.
Is this help?

--from embedded platform NG log--
/tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

/tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile
./cacert-2016-11-02.pem
CONNECTED(0003)
depth=0 CN = anja.haxx.se
 /always
 depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-

-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
AB3322B63747715342DB68B4D18C27F98CF84D4A0E2711719E8B96FA5DA5C1FD
Session-ID-ctx:
Master-Key:
240CC5C33C7185E49C74076133DF385AB0282A3C68D6D6DC3CB74D0DB845E4242F61DA09A28B544CB5B1D39FA839E6AD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
.
Start Time: 39804
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed
/tmp #


--from PC ok
log--
georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$
openssl x509 -subject -noout -in cacert-2016-11-02.pem
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$
openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem
CONNECTED(0003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
   //depth
0,1,2/
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = anja.haxx.se
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
   
-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3148 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
5640820B2C49B9B2E68563DFDFC7303BE01DE69E7EB4C6C833B4F7872CD173E5
Session-ID-ctx:
Master-Key:
48783D2D0E03CE5EACB7AF2577E0E2AFE4F056B191BFB2641D08E602C54BF651B9C195DCFBD2AECC2092B035848B005B
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 ---
Start Time: 1481718602
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
closed
georgeyang@georgeyang-virtual-machine
:/mnt/hgfs/share/task/danale_task/3516a$



thank you for your help.
Thanks a lot.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread Jakob Bohm 

On 14/12/2016 09:42, 杨俊 wrote:

Hi openssl-er,

> Does cacert.pem contain the CA certificate that issued the certificate for
> https://curl.haxx.se  ?

I think the cacert.pem is right. Because, I can get the ok result in 
my PC by this command:


​
> If your embedded file system does not support symlinks, you can instead
> rename the PEM files to the names of the symlinks that c_rehash generates
> on a more full-blown development computer.


Just to be sure (sometimes OpenSSL checks its default -CApath even
if you specify a -CAfile) try this command on the development machine:

openssl x509 -subject -noout -in cacert.pem

Compare to the deepest value from the screenshot above.


I don't know if my way is right. I do it like this:


1. In my device, I can't use the c_rehash. It said no perl. I input 
the command like this:
/tmp # ./openssl x509 -hash -fingerprint -noout -in 
/home/georgeyang/workspace/s

peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6
SHA1 
Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C


2. input command:
/etc/ssl/certs # ln -s 
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 
5ad8a5d6.0

/etc/ssl/certs # ls -l
total 511
lrwxrwxrwx1 root root88 Jan  1 06:53 5ad8a5d6.0 -> 
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem


Is this right?

3. the result is still NG
/tmp # ./openssl s_client -connect curl.haxx.se:443 
 -CApath /etc/ssl/certs/

CONNECTED(0003)
depth=0 CN = anja.haxx.se 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se 
verify error:num=21:unable to verify the first certificate
verify return:1
---

4. NG again
CONNECTED(0003)
depth=0 CN = anja.haxx.se 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se 
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se 
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
---
-END CERTIFICATE-
subject=/CN=anja.haxx.se 
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 
3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C

Session-ID-ctx:
Master-Key: 
61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611

PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
---

Start Time: 24915
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread 杨俊 
Hi Jakob & openssl-er,

1. My cross compile command is :
---

#export
CROSSCOMP_DIR=/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin

#export INSTALL_DIR=/home/georgeyang/workspace/speech_code/openssl

#./Configure -DOPENSSL_NO_HEARTBEATS linux-generic32 shared
--prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl/final
--cross-compile-prefix=$CROSSCOMP_DIR/arm-hisiv400-linux-gnueabi-

Make

Make install


2. This is my openssl's details.
--
/tmp # ./openssl version -a
OpenSSL 1.1.0c  10 Nov 2016
built on: reproducible build, date unspecified
platform: linux-generic32
compiler:
/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin/arm-hisiv400-linux-gnueabi-gcc
-DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS
-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_NO_HEARTBEATS
-DOPENSSLDIR="\"/home/georgeyang/workspace/speech_code/openssl/openssl/final\""
-DENGINESDIR="\"/home/georgeyang/workspace/speech_code/openssl/lib/engines-1.1\""
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"
ENGINESDIR: "/home/georgeyang/workspace/speech_code/openssl/lib/engines-1.1"
/tmp #

Is there something wrong in my parameters?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread 杨俊 
Hi openssl-er,

> Does cacert.pem contain the CA certificate that issued the certificate for
> https://curl.haxx.se ?

I think the cacert.pem is right. Because, I can get the ok result in my PC
by this command:

​
> If your embedded file system does not support symlinks, you can instead
> rename the PEM files to the names of the symlinks that c_rehash generates
> on a more full-blown development computer.

I don't know if my way is right. I do it like this:


1. In my device, I can't use the c_rehash. It said no perl. I input the
command like this:
/tmp # ./openssl x509 -hash -fingerprint -noout -in
/home/georgeyang/workspace/s
peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6
SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C

2. input command:
/etc/ssl/certs # ln -s
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6.0
/etc/ssl/certs # ls -l
total 511
lrwxrwxrwx1 root root88 Jan  1 06:53 5ad8a5d6.0 ->
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem

Is this right?

3. the result is still NG
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---

4. NG again
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
---
-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C
Session-ID-ctx:
Master-Key:
61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
---

Start Time: 24915
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed

Thank you :-(
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-13 Thread Jakob Bohm 


On 14/12/2016 08:30, 杨俊 wrote:

Hi openssl-er,

I'm newbie in the openssl.
Recently, I ported the openssl to my embedded linux device and ran the 
openssl command.

But there was an error occured.
I had done google search a lot, but I didn't find the answer.
My issue is strange, my test steps like below:
1. copy the openssl, libs, cacert.pem to the embedded linux platform.


Does cacert.pem contain the CA certificate that issued the certificate for
https://curl.haxx.se ?

In general, the argument to -CAfile should be the concatenation of the PEM
format CA root certificates that your embedded platform wants to trust as
issuing trustworthy certificates for servers you will connect to.

Alternatively, the argument to -CApath should point to a directory
(traditionally named "/etc/ssl/certs") containing:

  One PEM file with each such trusted CA certificate
  The symlinks generated by the c_rehash script (these map simple checksums
of the certificate names to the file names containing CA certificates
with names with those checksums, this reduces memory consumption but
increases disk read operations).

If your embedded file system does not support symlinks, you can instead
rename the PEM files to the names of the symlinks that c_rehash generates
on a more full-blown development computer.


2. run the command:
/tmp #:./openssl s_client -connect curl.haxx.se:443 
 -CAfile /tmp/cacert.pem


3. the error log is
--log 
CONNECTED(0003)
depth=0 CN = anja.haxx.se 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se 
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se 
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
--

4. my openssl version -d and version is
/tmp # ./openssl version
OpenSSL 1.1.0c  10 Nov 2016
/tmp # ./openssl version -d
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"

5. In my PC, I found this command worked well. It could return the ok 
value.

Although the openssl version is 1.0.1f.
So I think my cacert.pem is right.

6. I also used other command like:
/tmp # ./openssl s_client -connect curl.haxx.se:443 
 -CApath /tmp/cacert.pem
/tmp # ./openssl s_client -CApath 
/home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect 
curl.haxx.se:443 
/tmp # ./openssl s_client -connect curl.haxx.se:443 
 -servername curl.haxx.se 
 -key /etc/ssl/private/ssl-cert-snakeoil.key 
-CAfile /etc/ssl/certs/cacert.pem

But they are all NG.

In google, they all said -CAfile or -CApath could help, But it doesn't 
work for me. >"<

Please help





Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users