[Juser] Re: Maddening with SSL certificates

Jonathan Siegle jsiegle at psu.edu
Wed May 9 07:11:30 CDT 2007


Noiano said the following on 5/8/07 5:54 PM:
>  > Try doing:
>> $ openssl version -d
>> OPENSSLDIR: "/usr/lib/ssl"
>> $ ls -lt /usr/lib/ssl
>> total 8
>> lrwxrwxrwx 1 root root   14 2007-03-19 08:56 certs -> /etc/ssl/certs
>> drwxr-xr-x 2 root root 4096 2007-03-19 08:56 misc
>> lrwxrwxrwx 1 root root   20 2007-03-19 08:56 openssl.cnf ->
>> /etc/ssl/openssl.cnf
>> lrwxrwxrwx 1 root root   16 2007-03-19 08:56 private -> /etc/ssl/private
>> drwxr-xr-x 2 root root 4096 2007-03-16 13:27 engines
>>
>> Look at where certs points. If it is pointing to /etc/ssl/certs, verify
>> that the hash was made for the certificate. If no hash was made, look
>> for problems with that.
>>
>> -Jonathan
>>
> The certificate is correctly hashed as long as I can see
>> Starcom.pem => cb796bc1.0
> 
> But I still get the error
> 
>> Verify return code: 19 (self signed certificate in certificate chain)
> 
> Need some more help please!
> 
> Thanks for your patience!
> 

Thanks for your patience too. Turns out that openssl s_client does not 
have a default CApath. I don't see an environment variable you can set 
either. There are variables you can set for openssl verify, but that is 
not the issue. So for openssl s_client , you must type:

$ openssl s_client -connect jabber.org:5223 -CApath /etc/ssl/certs/




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3319 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/juser/attachments/20070509/1fdbf4b2/attachment-0001.bin>


More information about the JUser mailing list