openssl upgrade | fail validating certificate

I am working on CentOS7 machine, and I am trying to upgrade my machine's openssl version 1.0.2k -> 1.1.0l. It seems like the handshake process with my server(which didn't change) fails after the upgrade and I'm trying to figure out the cause.

Running the following command with both openssl version:

openssl s_client -showcerts -connect server:port

Resulted with failure with the newer one (if i provide the -CAfile validation works with both). A diff of the result:

Old 1.0.2k (handshake successful):

Server Temp Key: ECDH, P-256, 256 bits New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 New 1.1.0l (fails handshake):

Server Temp Key: X25519, 253 bits New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Verify return code: 20 (unable to get local issuer certificate) I would appreciate with help understanding the difference, and why are they different.

fyi, I started a similar threat here: https://stackoverflow.com/questions/68763253/openssl-upgrade-fail-validating-certificate?noredirect=1#comment121583146_68763253 without much luck.

Thanks :)


Solution 1:

at Centos 7 you can fix this issue with folowing commands as well:

#Prepare to compile
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
yum groupinstall -y "Development Tools" "Development Libraries"

#Build from source
cd /usr/src
# --no-check-certificate because of that issue, your system will not validate letsencrypt certificate at openssl.org until finish update
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1l.tar.gz
tar -zxf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config
make
make install

yum install ca-certificates -y