openssl: default CApath not honored for tools built against openssl

[dj_mook@…]

If I install a certificate or certificate bundle to /opt/local/etc/openssl/certs and use c_rehash to generate the hashed symbolic link, openssl and tools linked against it (ie- wget) do not use the certificate.

The only way to get it to see the certificate is to append it to the cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in that file are honored.

To test this I do the following:

• rename /opt/local/etc/openssl/cert.pem so it is not interfering with the test.
• install google's cert chain (www.google.com,thawte,versign) to /opt/local/etc/openssl/certs/
• run /opt/local/bin/c_rehash to install the hashed links to the certs
• run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect www.google.com:443 and succeed
• run wget -O - ​https://www.google.com and fail with:

ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA”:

Unable to locally verify the issuer’s authority.

• run lynx ​https://www.google.com and fail with:

Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up encrypted.google.com Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Alert!: Unable to make secure connection to remote host.

lynx: Can't access startfile ​https://www.google.com/

• if the certificates are appended to /opt/local/etc/openssl/cert.pem then wget and lynx requests to ​https://www.google.com work

This issue affects all tools built again openssl.