OpenSSL default certificate directory when IceSSL.UsePlatformCA property is used.
I’m attempting to validate certificates on Ubuntu 20.04 using the IceSSL.UsePlatformCAs property using C++. It’s worth noting that I’m using a different distribution of openSSL 1.1.1f, rather than the system distribution.
Even when I copy the PEM certificate file into the directory that OpenSSL should be using by default (/usr/lib/ssl/certs on Ubuntu, as far as I can tell) and configure and run
update-ca-certificates, it fails to validate the certificate. As far as I can tell, no errors are logged, even with a variety of Ice logging settings turned on.
However, when I set the SSL_CERT_DIR or SSL_CERT_FILE environment variables (i.e. running
SSL_CERT_DIR=/usr/lib/ssl/certs my_program) with my PEM certificate file present in that directory or at that file, Ice successfully validates the cert.
My desired behavior is for Ice to use OpenSSL’s default certificate directory (or some other reasonable default) for certificate validation when I set UsePlatformCAs, without me needing to set any environment variables. How can I accomplish this? Is there extra openSSL init code I need to run? Would I need to use the system’s openSSL version instead?
If that isn’t possible, is there a way to find out where Ice is looking?