openssl runtime error

[cssivision]

• use cargo run everything is ok.
• successfully built a static binary, but get a openssl issue when run the executable binary:

  The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:

[cssivision]

the openssl env is not set when use openssl as a static link library, use this library https://github.com/alexcrichton/openssl-probe fix this, i think this should write into the README when use openssl as a static link.

[cssivision]

detail in this issue, https://github.com/seanmonstar/reqwest/issues/70

[emk]

Thank you for reporting this! I think I've fixed this bug multiple times now, but it keeps breaking when OpenSSL gets updated. Honestly, I'm not going to be able to tackle this right away, but if somebody can produce a PR with a good explanation of why it's the correct solution, I'll do my best to find time to review it.

[cssivision]

run with cargo run we use openssl as a dynamic link lib, the system OpenSSL normally points the defaults to the right place.

statically linked OpenSSL to the binary (or any binary, for that matter) and we're ready to distribute it to all linux distributions, in my original intent for openssl was for HTTPS support, which implies that we need some for of CA certificate store to validate certificates. This is normally installed in a standard system location.

Unfortunately, as one might imagine, OpenSSL is configured for where this standard location is at build time, but it often varies widely per-system. Consequently, it was discovered that OpenSSL will respect the SSL_CERT_FILE and SSL_CERT_DIR environment variables in order to assist in discovering the location of this file.

If those aren't set, OpenSSL will use defaults that were set when it was compiled. use rust-musl-builder to build the static binary we don't set SSL_CERT_FILE and SSL_CERT_DIR, definitely we can't find certificates in this case. so we get the error in this issue.

in my solution, i use this crate https://crates.io/crates/openssl-probe to look in a bunch of common locations to track down the right paths, and init SSL_CERT_FILE and SSL_CERT_DIR env vars when my application start.

i try to explain..., hope this makes sense.

[cssivision]

if this is a good explanation, i will produce a PR to write this to the README.

[emk]

@cssivision OK, I understand what you're aiming for now. Thank you!

Yes, if there's a crate that application authors can use to fix this, I'd love to include documentation and maybe a short code example in the README.md file. I'll want to patch several of my own applications to use this library, too.

Thank you for figuring this out and explaining it!