http://andatche.com/ 2012-02-10T00:00:00Z Ben Arblaster http://andatche.com/ tag:andatche.com,2012-02-10:/articles/2012/02/fixing-ssl-ca-certificates-with-openssl-from-macports/ 2012-02-10T00:00:00Z 2012-02-10T00:00:00Z <p>If you’ve installed OpenSSL from <a href="http://www.macports.org/">MacPorts</a> (or anything that depends on it), you’ve probably come across issues with verifying SSL certificates in applications built against it.</p> <pre>ben@spud:~$ lftp acc-xxxxx@ftp.library.gb1.brightbox.com Fatal error: SSL_connect: unable to get local issuer certificate</pre> <pre> ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 </pre> <p>That’s because MacPorts doesn’t provide a CA root certificate bundle package (such as the <code>ca-certificates</code> Ubuntu package) and in its default configuration the <code>openssl</code> package can’t talk to the OS X keychain, where the system CA certificates are kept.</p> <p>Helpfully, the <a href="http://curl.haxx.se/">cURL</a> project provides it’s own CA cert bundle we can use, generated from the <a href="http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1">mozilla root certificates</a>, which is available in macports.</p> <p>Simply install <code>curl-ca-bundle</code></p> <pre> sudo port install curl-ca-bundle </pre> <p>Then symlink the bundle into <code>/opt/local/etc/openssl</code>, the default CApath for MacPorts-installed OpenSSL.</p> <pre> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem </pre> <p><strong>EDIT:</strong> The above step is no longer necessary. MacPorts’ <code>curl-ca-bundle @7.24.0</code> now creates the symlink during installation.</p> <p>Voilà, working CA cert verification!</p> <pre>ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = FIUwKm3apULSSy7J9sGT8i0NxIprVlhV, C = GB, O = ftp.library.gb1.brightbox.com, OU = GT02477604, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = ftp.library.gb1.brightbox.com verify return:1</pre>