System wide setting for OpenSSL CAfile / system certificates?

[Peter Wood]

Good Afternoon,

I've spent the past three hours playing with openssl.cnf and surfing 
google, and so far I've been unable to find an answer to this question.

So I thought I'd ask here :). The background is that I've finally got 
around to getting a wildcard SSL certificate for my personal server, all 
daemons are using this, Firefox/IE/Thunderbird are all happy with the 
certificate and see it signed by ChainedSSL signed by Equifax and all is 
good.

However when I use the FreeBSD server to connect to it's self, in 
several programs I get asked to confirm the certificate. So I assumed 
this was because there was no central root certificate store.

So I installed security/ca-roots from ports, and that put the certs.pem 
file in /usr/local/share/certs and a symlink to it in /etc. However as I 
found this simply installs it.

Using openssl s_cleint I was able to run some tests, if I didn't provide 
a cafile then I got the following.

[nebula:~]# openssl s_client -connect localhost:imaps
CONNECTED(00000003)
depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
  0 
s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See 
www.freessl.com/cps (c)04/OU=Domain Control Validated - 
ChainedSSL(TM)/CN=*.alastria.net
    i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
  1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
    i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
---

If I provided a cafile, all was good and got this:

[nebula:~]# openssl s_client -connect localhost:imaps -CAfile 
/etc/ssl/cert.pem
CONNECTED(00000003)
depth=2 /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
verify return:1
depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
verify return:1
depth=0 
/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See 
www.freessl.com/cps (c)04/OU=Domain Control Validated - 
ChainedSSL(TM)/CN=*.alastria.net
verify return:1
---
Certificate chain
  0 
s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See 
www.freessl.com/cps (c)04/OU=Domain Control Validated - 
ChainedSSL(TM)/CN=*.alastria.net
    i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
  1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
    i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
---

I have tried various settings in openssl.cnf, but I can not get CAfile 
to be defaulted to anything. My basic question is can I do this, and if 
so, how?

I'm expecting once this works (maybe stupidly) for it to propagate down 
to applications that use the openssl library. Although for some programs 
(like Mutt) I'll be required to set a property to allow mutt to trust 
the system certs (ssl_usesystemcerts).

I hope someone out there knows, I've been playing and running truss and 
all sorts for the past three hours trying to get this to work.

Any advice would be greatly appreciated.

Cheers,

Pete.
-- 
Peter Wood BSc (Hons) :: <peter at alastria.net> :: Tel +44 7974 799440