[Bug 274324] mail/fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 274324] mail/fetchmail"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 07 Oct 2023 11:53:33 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274324

Michael Osipov <michael.osipov@siemens.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michael.osipov@siemens.com

--- Comment #3 from Michael Osipov <michael.osipov@siemens.com> ---
Author of the mentioned commit here, let's try to find the issue together...I
highly doubt that it is related to the commit because it does not use libfetch.

Looking at socket.c:
==================
                tmp = getenv("FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS");
                if (want_default_cacerts || (tmp && tmp[0])) {
#ifdef USING_WOLFSSL
                        /* wolfSSL 5.0.0 does not implement
                         * SSL_CTX_set_default_verify_paths(). Use something
                         * else: */
                        const char *tmp = WOLFSSL_TRUST_FILE;
                        l1 = tmp; l2=NULL;
                        if (*tmp)
                                r = SSL_CTX_load_verify_locations(_ctx[sock],
                                                tmp, NULL);
#else
                        r = SSL_CTX_set_default_verify_paths(_ctx[sock]);
                        if (1 != r) goto no_verify_load;
#endif
                }
=============
This code looks correct. You should check what is in your default trust store
and what "openssl s_client -connect <target>" tells you and whether it can
verify intermediate and root CAs.

-- 
You are receiving this mail because:
You are the assignee for the bug.