Re: [openssl-dev] [openssl.org #4510] SSL certificate problem: unable to get local issuer certificate. Bug?

Sat, 07 May 2016 07:15:07 -0700 

The one that fails is using the default CAfile and CApath The ones that work 
specify
-CAfile C:\xampp\php\cacert.pem
Maybe the default locations are out of date?
Also  CApath "This directory must be in "hash format""
Are the hashes correct?

On 5/7/2016 8:37 AM, Stephen Henson via RT wrote:

On Fri May 06 22:37:55 2016, [email protected] wrote:

Hello Steve,

*If I do not indicate the location of the cert*





PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect
www.googleapis.com:443
CONNECTED(00000088)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---


OK we get an error above which is expected.


Verify return code: 20 (unable to get local issuer certificate)




And confirmed above.



*I point to the the newest cert*





PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
'C:\xampp\php\cacert.pem' -connect www.googleapis.com:443
CONNECTED(000000D8)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
CN = *.
googleapis.com
verify return:1


No error.


Verify return code: 0 (ok)




And similarly above no error.



*When I point to the old cert*





PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
'C:\xampp\php\cacert_old.pem' -connect www.googleapis.com:443
CONNECTED(00000140)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate
Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
CN = *.
googleapis.com
verify return:1


Again no error.


Verify return code: 0 (ok)






And again confirmed above.

It looks like with s_client it is working in both the old and new cases.

So I'm not sure what the problem is: it doesn't seem to be an issue with
OpenSSL though.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org



--

 Douglas E. Engert  <[email protected]>

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to