lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, 2 May 2019 at 15:23, Russell Haley <russ.haley@gmail.com> wrote:
> On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <quae@daurnimator.com> wrote:
>> luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
>> to load your system's trust roots.
>
> I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
>
> ...
>
>
> If I include -CApath /etc/ssl/certs, then everything works fine:
>
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
>
> ...
>
>
> There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.
>
> Russ

When finding CAs, OpenSSL will try to look in the directory:
`getenv(X509_get_default_cert_dir_env())`,
which *should* be `"SSL_CERT_DIR"`

If that env var does not exist, it will look in `X509_get_default_cert_dir()`,
which *should* be `OPENSSLDIR "/certs"`,
where OPENSSLDIR is usually `"/etc/ssl"`,
though you can adjust at ./configure time.

My suspicion is that at configure time you've passed a custom OPENSSLDIR.
How did you compile your OpenSSL?
What options did you pass to configure?