clatter
Reputation: 33
Discrepancy between openssl verify and s_client command
Running on Ubuntu 14.04 with OpenSSL 1.0.1l:
openssl s_client -CApath /etc/ssl/certs -showcerts -connect www.google.com:443
Returns:
Verify return code: 0 (ok)
However, running:
openssl verify -CApath /etc/ssl/certs/ google_chain.pem
where google_chain.pem is the output of the s_client command above, returns:
google_chain.pem: C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Can someone explain this discrepancy? It seems to me that the openssl verify command is just ignoring the -CApath parameter.
Upvotes: 3
Views: 818
Answers (1)
zakjan
Reputation: 2559
openssl verify doesn't expect the certificate to contain its chain. Chain needs to be passed with -untrusted argument. You can pass the same file there, trust is still determined by finding a trusted root in -CAfile/-CApath.
openssl verify -CApath /etc/ssl/certs -untrusted google_chain.pem google_chain.pem
Upvotes: 4
Related Questions
- How to ignore certificate verification while using openssl s_client connect?
- OpenSSL s_client -connect incompatibility issue
- OpenSSL: openssl s_client verify return:1 but Verify return code: 0 (ok)
- Handshake error with the openssl command s_client
- openssl s_client no cipher match
- Different output by openssl
- OpenSSL: server cannot verify client certificate
- verifying the signature of x509
- openssl verify signature error, but command line tools is ok
- Openssl s_Client doesn't verify certificates in 0.9.8r