>From openssl 1.0.1-4ubuntu5.12 (I hope I traced the chain of functions correctly):
apps/s_client.c: -------------------------------------------------------------------------------- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,"error setting default verify locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } -------------------------------------------------------------------------------- (CAfile and CApath are the command line option values (NULL if not given).) ssl/ssl_lib.c: -------------------------------------------------------------------------------- int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); } -------------------------------------------------------------------------------- crypto/x509/x509_d2.c: -------------------------------------------------------------------------------- int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path) { X509_LOOKUP *lookup; if (file != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); if (lookup == NULL) return(0); if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1) return(0); } if (path != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); if (lookup == NULL) return(0); if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1) return(0); } if ((path == NULL) && (file == NULL)) return(0); return(1); } -------------------------------------------------------------------------------- I think the problem is that (path == NULL) && (file == NULL) is treated as an error. That causes the s_client code to abort before it calls SSL_CTX_set_default_verify_paths. If (file != NULL) or (path != NULL) and no other errors are produced, SSL_CTX_set_default_verify_paths will get called. That's why we observe that "-CApath /nonsense" adds the default path. Additionally, loading an arbitrary CA file will work too: openssl s_client -quiet -CAfile /etc/ssl/certs/Visa_eCommerce_Root.pem -connect google.com:443 It seems strange that default locations are loaded even when -CAfile or -CApath is given, so in my opinion SSL_CTX_set_default_verify_paths should only be called when (CAfile == NULL) && (CApath == NULL). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/396818 Title: openssl s_client behaves strangely without CAPath To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs