[openssl-dev] [openssl.org #4510] SSL certificate problem: unable to get local issuer certificate. Bug?

Sat, 07 May 2016 06:38:18 -0700 

On Fri May 06 22:37:55 2016, [email protected] wrote:
> Hello Steve,
>
> *If I do not indicate the location of the cert*
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect
> > www.googleapis.com:443
> > CONNECTED(00000088)
> > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> > verify error:num=20:unable to get local issuer certificate
> > ---

OK we get an error above which is expected.

> > Verify return code: 20 (unable to get local issuer certificate)
>

And confirmed above.

>
> *I point to the the newest cert*
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
> > 'C:\xampp\php\cacert.pem' -connect www.googleapis.com:443
> > CONNECTED(000000D8)
> > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> > verify return:1
> > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
> > verify return:1
> > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
> > CN = *.
> > googleapis.com
> > verify return:1

No error.

> > Verify return code: 0 (ok)
>

And similarly above no error.

>
> *When I point to the old cert*
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
> > 'C:\xampp\php\cacert_old.pem' -connect www.googleapis.com:443
> > CONNECTED(00000140)
> > depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate
> > Authority
> > verify return:1
> > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> > verify return:1
> > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
> > verify return:1
> > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
> > CN = *.
> > googleapis.com
> > verify return:1

Again no error.

> > Verify return code: 0 (ok)
> >
> >
>

And again confirmed above.

It looks like with s_client it is working in both the old and new cases.

So I'm not sure what the problem is: it doesn't seem to be an issue with
OpenSSL though.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4510
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to