Hrm, I've worked out why this was failing with 1.0.1c; the symlink for the VeriSign Class 3 G5 root was missing from that repo's CApath. This doesn't entirely explain why the same exact sequence of commands verifies successfully on a machine with openssl 0.9.8o...
On 9 July 2012 16:59, Peter Eckersley <peter.eckers...@gmail.com> wrote: > Here's a series of commands: > > git clone https://git.eff.org/public/observatory.git > cd observatory > > # get the server response for twitter.com > ./scan/FasterCertificateGrabber.py twitter.com > > # split it into component PEM certs > ./inspect twitter.com.results > cd certs > > # now try to verify it. Note that "allcerts" was a poorly chosen > directory name. It should have been allCAs... > > openssl verify -untrusted twitter.com.results_2.pem -CApath ../allcerts/ > twitter.com.results_1.pem > > # with openssl 0.9.8*, the above command will print > # twitter.com.results_1.pem: OK > # > # but with 1.0.1c, it gives: > # twitter.com.results_1.pem: C = US, O = "VeriSign, Inc.", OU = VeriSign > Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, > CN = VeriSign Class 3 Extended Validation SSL CA > # error 20 at 1 depth lookup:unable to get local issuer certificate > > -- > Peter > -- Peter
