with "OpenSSL 1.0.1e 11 Feb 2013" on my gentoo linux x64 system, I have trouble connecting to www.sparkasse-ruegen.de
~~~~~~~~~~~~~~~~~~~~ $ openssl s_client -connect www.sparkasse-ruegen.de:443 -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.2= /1.3.6.1.4.1.311.60.2.1.1=Stralsund/businessCategory=Private Organization/serialNumber=HRA 1076/C=DE/ST=Mecklenburg-Vorpommern/L=Bergen auf Ruegen/O=Sparkasse Ruegen/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.sparkasse-ruegen.de i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGRzCCBS+gAwIBAgIQIDmXW/j1m6DkGV+nYh4SPzANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x MjAyMjMwMDAwMDBaFw0xMzEyMDEyMzU5NTlaMIIBMzETMBEGCysGAQQBgjc8AgED EwJERTESMBAGCysGAQQBgjc8AgECFAEgMRowGAYLKwYBBAGCNzwCAQEUCVN0cmFs c3VuZDEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xETAPBgNVBAUTCEhS QSAxMDc2MQswCQYDVQQGEwJERTEfMB0GA1UECBQWTWVja2xlbmJ1cmctVm9ycG9t bWVybjEaMBgGA1UEBxQRQmVyZ2VuIGF1ZiBSdWVnZW4xGTAXBgNVBAoUEFNwYXJr YXNzZSBSdWVnZW4xMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNp Z24uY29tL3JwYSAoYykwNTEgMB4GA1UEAxQXd3d3LnNwYXJrYXNzZS1ydWVnZW4u ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbeoVjj+ybd9CVIDuv Q9yIhlwRzDGImKZDagAIpxgC0OHQdYYSytwmr2hL6Mazea8VexWFwGK+YJBOf/Og ccP8y+ys+8l2yqU7cc5Z5k+s59DHuz8+FPkA/zDFTW+9E9lu/NeeZ5wSmRjuMWWT L8jaiy/enAfk2DbcUeivhkaAVUcn83jKznxvJvYLtQndL6MAfDWCAkurUilWeZoo hC7l4O+uusMuZO0wEkLRGi/HF5jit4Op16dERVrwk4PjSo7q2qyYmgBmZb8GuBLw 9x9jlukOBIRjWAGhyx8UCuJUEOQBY8ME9WCD8oi1N44XfLYW77cxceypN5sp/0m3 oqD9AgMBAAGjggHLMIIBxzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBCBgNVHR8E OzA5MDegNaAzhjFodHRwOi8vRVZTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9FVlNl Y3VyZTIwMDYuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEF BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU/IpQup65JVp7VYVPlQBjj+lY a0MwcwYIKwYBBQUHAQEEZzBlMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJp c2lnbi5jb20wPQYIKwYBBQUHMAKGMWh0dHA6Ly9FVlNlY3VyZS1haWEudmVyaXNp Z24uY29tL0VWU2VjdXJlMjAwNi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgw VhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgw JhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3 DQEBBQUAA4IBAQAzaUcauZ7XRFOTotn/5pXsEi9FFRi+oPu/ebjvogPQhTp/ymMc 8G5XsUmETNEaGf/RES2yv7HZjG8cW67O9O7eusyUqXfclEKZR3Wz3jheiMQ1RYZJ Fy6nYRS0XX+FNe5XLou+R1ddesMA4JQMB+3L459aEUdrQwcKvbjDhiVxd+eLhUk6 puK62bY5N0QKrfFkOrB7LJxElDTbEKGsyhU7Jo9VHoo9JVoWkfLloJSMuQJ8T6Dh u5HpeUSc9qlkBLLvwIijdwfiy73l9UBZAD8zFNpUyL6izTyK6RffGYrcVYuhaYfU S4WurnXoQxBqKNxo4j8xZPL5A3MRiipBQyDR -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.2= /1.3.6.1.4.1.311.60.2.1.1=Stralsund/businessCategory=Private Organization/serialNumber=HRA 1076/C=DE/ST=Mecklenburg-Vorpommern/L=Bergen auf Ruegen/O=Sparkasse Ruegen/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.sparkasse-ruegen.de issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 4633 bytes and written 680 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: 94256AA806CB93BCC0E449E1384A59624125AFDE81801FCC38E4E40921DDA4FB Session-ID-ctx: Master-Key: 97D446EC189ED2D60A2D0395F1B4D6D0844EE6C718A142F993F28BDD2C5AAE3DB739195CCA8E057F9C46DA1086A1F20F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1373976410 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- ~~~~~~~~~~~~~~~~~~~~ after downgrading to "OpenSSL 1.0.0e 6 Sep 2011" I get .... Verify return code: 0 (ok) and it works. As this works with openssl-1.0.0 and does no longer work with 1.0.1, I suspect this is a bug. NOTE: but using openssl-1.0.1 and connecting to google still works $ openssl s_client -connect www.google.de:443 -CApath /etc/ssl/certs ... Verify return code: 0 (ok) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
