On Thu, 2009-05-21 at 22:44 +0100, David Woodhouse wrote: > I'm trying to connect to an HTTPS server, and my connection is being > rejected when I use a client certificate: > [dw...@macbook ~]$ openssl s_client -cert $CERT -connect $SERVER:443 -crlf > -tls1 > CONNECTED(00000003) > depth=1 /C=US/O=Foo Corporation/CN=Foo Intranet Basic Issuing CA 2A > verify error:num=20:unable to get local issuer certificate > verify return:0 > 24620:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:530:
I've discovered that it works if I also use the '-CAfile' option and give it the appropriate certificate chain. If I use an empty CAfile or one with the wrong certificates in it, the server still hates me. But NSS can connect without having to have the certificate chain in place locally. Is there a way to make OpenSSL behave similarly, so that it doesn't upset the server? -- dwmw2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
