ubuntu - Can't verify CA certificate unless CApath or CAfile used -

im having trouble having openssl connect server because of trust issues. placed ca certificate on /etc/ssl/certs/ , have run sudo c_rehash , can see correct file has been made. can see ca certificate in ca-certificates.crt. if run:

openssl s_client -connect servername.domain.com:636 

the command fails verify return code: 21 (unable verify first certificate)

if do:

openssl s_client -connect servername.domain.com:636 -capath /etc/ssl/certs/ 

i verify return code: 0 (ok)

what can dont have specify capath?

i'm using ubuntu 13.04.

openssl connect server because of trust issues.

unlike browsers, trust anybody, openssl trusts nothing default.

its determine should trusted. have specify when using openssl , s_client.

if working programmatically openssl api, have more options. appears related using openssl commands.

---

what can don't have specify capath?

you can use cafile. avoids rehash, , creates 1:1 mapping trust of domain. is, trust 1 issuer domain in question. if other issuer claims issuer, won't trust issuer or server.

you can see how extract needed info openssl's s_client , use cafile @ how grab ssl certificate in openssl.

when using certificates present in capath, trust issuer, if not real issuer. has happened in past , bad.

the corner case bad guy compromises ca trust , issues phony certifcates domain. has happened in past too, , bad.

in 2 negative cases above, can forgo conferring trust dns , cas , use security diversification technique certificate or public key pinning. if there's pre-existing relationship between , site, know expected public key of server. in case, there's no need trust ca.