>From: owner-openssl-us...@openssl.org On Behalf Of David Hinkle >Sent: Monday, 21 January, 2013 19:48
>So I've got my ssl client working pretty well. It does great with >most websites, but some of them it doesn't verify the certificate chain >for, returning the above error. The CA root cert in question is in >the certificate store, and the server isn't actually sending the root >so I'm pretty sure that openssl has even found it in the store and is >trying to verify it. I've pasted the details below of a certificate >that is working (Equifax) and one that isn't (Verisign). The only clue >that I have is that the Verisign cert doesn't have any extensions on it. >Maybe by default the openssl library is requiring the cert to be configured >to be able to sign other certs? If this is true, what can I do? >Any guidance or ideas appreciated. I'm not sure what to do next. *If* an issuing cert has KeyUsage extension it must include certSign, but if the extension is absent (and all extensions are absent in v1) it is allowed for backward compatibility. I do this in test almost all the time because it's quicker to set up. How are you sure of your other statements above? As I read the code, verify 19 occurs only if the peer *does* send the root and it is *not* found in the local truststore. Is your truststore in OpenSSL's default format (CAfile and/or CApath) or can it be converted to that? If so, try commandline s_client which will show you the cert chain (and callback steps). (Even without any truststore it will show you the chain.) Are you sure you have the *correct* Verisign root? There are about a dozen published Verisign roots many of which have very similar -- but not identical -- names. They are not interchangeable, although in at least one case I looked at there is a "bridge" cert to (optionally and alternatively) chain a newer root to an older. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
