Bruce Stephens wrote: > Bruce Stephens <bruce.steph...@isode.com> writes: > >> "Dr. Stephen Henson" <st...@openssl.org> writes: >> >> [...] >> >>> Is that unmodified OpenSSL 0.9.8o? If so that's peculiar I get the expected >>> error here. >> >> No, it's Debian's 0.9.8o-2. > > Ah, my fault. Obvious in retrospect: Debian's openssl finds the root > cert because it's in the ca-certificates package!
Did you use -CAfile as in my original posting when testing? Doesn't -CAfile set exclusively all trusted CA certs? So the pre-installed CA certs should not be used as trust anchors in this case. Frankly this cert verification stuff seems really odd to me and the exact behaviour seems to be largely unknown. Ciao, Michael. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org