That is what I have when I don't include the intermediate in the command: openssl s_client -connect 10.10.10.10:443 -verify 5 -state -showcerts verify depth is 5 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior Lake/O=ACME, INC/CN=www.acme.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior Lake/O=ACME, INC/CN=www.acme.com verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior Lake/O=ACME, INC/CN=www.acme.com verify error:num=21:unable to verify the first certificate verify return:1
And this one when I include the two intermediate at cacerts.pem. openssl s_client -connect 10.10.10.10:443 -verify 5 -CAfile cacerts.pem -showcerts verify depth is 5 CONNECTED(00000003) depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify return:1 depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA verify return:1 depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior Lake/O=ACME, INC/CN=www.acme.com verify return:1 --- Certificate chain 0 s:/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior Lake/O=ACME, INC/CN=www.acme.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA On Tue, May 21, 2013 at 7:26 PM, Wim Lewis <w...@omnigroup.com> wrote: > > On 21 May 2013, at 5:02 PM, Jorge Ventura wrote: >> Because the client trust the connection when I inform the >> intermediate, I suppose the server is not sending the intermediate, >> only the first certificate in the chain and in this case the command >> fail. > > That is a reasonable conclusion. You can check for sure using the > "-showcerts" option to openssl s_client. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org