> On Sep 6, 2016, at 11:53 AM, John Unsworth <john.unswo...@synchronoss.com> > wrote: > > I have noticed the following behaviour: > > 1 Create a certificate file with two CA certificates, one for the server > being connected to (server A) and one for another server (server B). > 2 Whichever way the CA certificates are ordered the connect works OK. > 3 Add a self-signed CA certificate in the file before the one for server A. > The connect fails ‘Verify return code: 21 (unable to verify the first > certificate)’. > 4 Move the self-signed CA certificate after the one for server A. The connect > works OK. > > Why should the self-signed certificate affect the connection when the > required CA certificate is in the certificate file? Is this a bug?
You've provided much too little detail for a meaningful answer. Post the server chain being validated as reported by $ openssl s_client -showcerts -connect <server>:443 > chain.pem $ openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs and all three CA certificates. Do not post any of the private keys. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users