andatche.com

Fixing SSL CA certificates with OpenSSL from MacPorts

If you’ve installed OpenSSL from MacPorts (or anything that depends on it), you’ve probably come across issues with verifying SSL certificates in applications built against it.

ben@spud:~$ lftp acc-xxxxx@ftp.library.gb1.brightbox.com
Fatal error: SSL_connect: unable to get local issuer certificate
ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0

That’s because MacPorts doesn’t provide a CA root certificate bundle package (such as the ca-certificates Ubuntu package) and in its default configuration the openssl package can’t talk to the OS X keychain, where the system CA certificates are kept.

Helpfully, the cURL project provides it’s own CA cert bundle we can use, generated from the mozilla root certificates, which is available in macports.

Simply install curl-ca-bundle

sudo port install curl-ca-bundle

Then symlink the bundle into /opt/local/etc/openssl, the default CApath for MacPorts-installed OpenSSL.

sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem

EDIT: As one commenter noted, the above step is no longer necessary. MacPorts’ curl-ca-bundle @7.24.0 now creates the symlink during installation.

Voilà, working CA cert verification!

ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = FIUwKm3apULSSy7J9sGT8i0NxIprVlhV, C = GB, O = ftp.library.gb1.brightbox.com, OU = GT02477604, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = ftp.library.gb1.brightbox.com
verify return:1