# [OpenSSL] /etc/ssl/cert.pem not honoured by default



## rhi (Nov 27, 2015)

I have a FreeBSD 10.1 installation with security/ca_root_nss installed (with ETCSYMLINK).

/etc/make.conf contains `WITH_OPENSSL_BASE="YES"`, the port (security/openssl) is not installed.

/etc/ssl/cert.pem points to /usr/local/share/certs/ca-root-nss.crt, which contains the CA certificates as expected.

When I do `openssl s_client -showcerts -host my.server -port 443`, I get "Verify return code: 20 (unable to get local issuer certificate)", i.e. the certificate can't be verified.

The same command with -CAfile `openssl s_client -CAfile /etc/ssl/cert.pem -showcerts -host my.server -port 443` works ("Verify return code: 0 (ok)").

Is there any reason why /etc/ssl/cert.pem is not honoured by default? Can I get OpenSSL to use it by default?

The problem is that net-im/ejabberd uses the default OpenSSL verification, and as far as I know, there's no possibility to specify an extra CAfile. This means that I can't use certificate validation with XMPP, which is not good…

Do you have an idea?


----------

